Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: low
Invalid

Anyone can read the message of soulmates with id eqaul to 0.

Summary

uint256 nextID variable declared in the Soulmate.sol has a default value of 0. This allows any address that calls readMessageInSharedSpace function to able to read the messages of soulmates with id of 0, due to the code implementation of both writeMessageInSharedSpace and readMessageInSharedSpace functions, as shown below:

@> /// @notice Allows any soulmates with the same NFT ID to write in a shared space on blockchain.
/// @param message The message to write in the shared space.
function writeMessageInSharedSpace(string calldata message) external {
uint256 id = ownerToId[msg.sender];
@> sharedSpace[id] = message;
emit MessageWrittenInSharedSpace(id, message);
}
@> /// @notice Allows any soulmates with the same NFT ID to read in a shared space on blockchain.
function readMessageInSharedSpace() external view returns (string memory) {
// Add a little touch of romantism
return
string.concat(
@> sharedSpace[ownerToId[msg.sender]],
", ",
niceWords[block.timestamp % niceWords.length]
);
}

Vulnerability Details

Add the following in the Soulmate.t.sol file:

Code here:
function test_WriteAndReadSharedSpace() public {
// mints the soulmate token
_mintOneTokenForBothSoulmates();
assertTrue(soulmateContract.totalSupply() == 1);
// sends a message
vm.prank(soulmate1);
soulmateContract.writeMessageInSharedSpace("Want to meet Patrick");
// vm.prank(soulmate2);
// string memory message = soulmateContract.readMessageInSharedSpace();
// instead another user reads it
address insolentUser = makeAddr("soulmate 3");
vm.prank(insolentUser);
string memory returnedMessage = soulmateContract.readMessageInSharedSpace();
string[4] memory possibleMessages = [
"Want to meet Patrick, sweetheart",
"Want to meet Patrick, darling",
"Want to meet Patrick, my dear",
"Want to meet Patrick, honey"
];
bool found;
for (uint i; i < possibleMessages.length; i++) {
if (compare(possibleMessages[i], returnedMessage)) {
found = true;
break;
}
}
console2.log(returnedMessage);
assertTrue(found);
}

Impact

Low: Since it has minimal to no impact on the protocol's functionality.

Tools Used

Manual Review

Recommendations

Assign the nextID variable to a non-default value:

- uint256 private nextID;
+ uint256 private constant nextID = 1;
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.