First Flight #9: Soulmate

Summary

The transmissions11 says,

This is experimental software and is provided on an "as is" and "as available" basis.

While each major release has been audited, these contracts are not designed with user safety in mind:

• There are implicit invariants these contracts expect to hold.

• You can easily shoot yourself in the foot if you're not careful.

• You should thoroughly read each contract you plan to use top to bottom.

• We do not give any warranties and will not be liable for any loss incurred through any use of this codebase.

1. Soulmate.sol:

2. LoveToken.sol:

Vulnerability Details

1. Let's say, Bob tries to mint the Soulbound NFT.

2. An attacker detected a reentrancy hole and attacked and eventually minted type(uint256).max Soulbound NFTs.

3. Something similar is also true for ERC20 tokens solmate implementation i.e., minting, approving, & transfering ERC20 Tokens.

4. Owner of the Soulmate raised a dispute against transmissions11 for NFT Theft.

5. transmissions11 says, Hey Sir, Please read our Docs there we mentioned that we do not give any warranties and will not be liable for any loss incurred through any use of this codebase.

6. Soulmate owner (aka The Deployer) feels sick. 😅

Impact

No user | Protocol safety, No warranties, if any potenital disfunctions or hack happens.

Tools Used

Manual Review.

Recommendations

Use openzeppelin library which is already installed and can be used as a dependency library for this (Soulmate) Project.

1. Soulmate.sol:

2. LoveToken.sol