First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Anyone can read the messages of `soulmates` who own `nextID`, also known as `tokenID` `0`. A malicious actor can social engineer (Phish) them.

theirrationalone

Summary

The function Soulmate::readMessageInSharedSpace has a security lack (Access Control). Anyone can read all the messages of soulmates who own nextID 0. Since being in a relationship, Partners or soulmates often and might always prefer keep their talks super secure only to them and don't like any disclosure & involvement of a third person in their relationship.

function readMessageInSharedSpace() external view returns (string memory) {
// Add a little touch of romantism
// ---------------------------------------------------
// ------------------------- ||
// no protection for soulmates with nextID 0.
// ------------- \/
@> return string.concat(sharedSpace[ownerToId[msg.sender]], ", ", niceWords[block.timestamp % niceWords.length]);
}

Vulnerability Details

Poc:Unknown Read

  1. Place the following test code snippet into the test/unit/soulmateTest.t.sol file. Put it at the very bottom but before the last closing semicolon }.

function test_UnknownReadSharedSpace() public {
address alice = makeAddr("ALICE");
address bob = makeAddr("BOB");
address unknown = makeAddr("UNKNOWN");
vm.startPrank(alice);
soulmateContract.mintSoulmateToken();
vm.stopPrank();
vm.startPrank(bob);
soulmateContract.mintSoulmateToken();
vm.stopPrank();
vm.startPrank(bob);
string memory message = "Hey i just wanna say, I <3 U";
soulmateContract.writeMessageInSharedSpace(message);
vm.stopPrank();
vm.startPrank(unknown);
string memory retrievedMessage = soulmateContract.readMessageInSharedSpace();
vm.stopPrank();
console2.log("Message Sent by Bob that was made only for Alice: ", retrievedMessage);
}

  1. Open Your Bash Terminal and execute the following command...

forge test --mt "test_UnknownWriteSharedSpace" -vvv --via-ir

  1. Output should indicate that test Passed Successfully and not reverted anywhere. The anybody can see read messages.

Impact

First of all, anyone can read the messages exchanged between soulmates and turn their chats into their own source of entertainment. 😅 However, any unknown person with malicious intentions can social engineer them and perform a Phishing attack on soulmates. This bad actor can also Phish soulmates directly by pretending to be their soulmate and claiming to need money, items, etc., in an emergency.

Tools Used

Foundry Framework (Solidity, Rust)

Recommendations

There should be an if check to verify whether the person who is trying to read the messages through Soulmate::readMessageInSharedSpace function, has a soulmate assigned to their nextID that they own.

Update the src/Soulmate.sol file with the following code modifications...

...
...
...
error Soulmate__alreadyHaveASoulmate(address soulmate);
error Soulmate__SoulboundTokenCannotBeTransfered();
+ error Soulmate__DontHaveAnySoulmate(address soulmate);
...
...
...
function readMessageInSharedSpace() external view returns (string memory) {
+ address sendersSoulmate = soulmateOf[msg.sender];
+ if (sendersSoulmate == address(0)) {
+ revert Soulmate__DontHaveAnySoulmate(sendersSoulmate);
+ }
// Add a little touch of romantism
return string.concat(sharedSpace[ownerToId[msg.sender]], ", ", niceWords[block.timestamp % niceWords.length]);
}
...
...
...
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.