Soulmates who are divorced will still be able to claim Love token because the `isDivorced` check doesn't work properly
Summary
A user is only supposed to be able to claim Love token if they have a soulmate and they have not divorced their solemate. The claim() function in Airdrop.sol attempts to check that a caller is not divorced by calling isDivorced() in Solmate.sol but the problem is that isDivorced() checks whether msg.sender is divorced. But msg.sender would be the address for Airdrop.sol not the user who called claim()
Therefore, assuming that the address for Airdrop.sol has never been a soulmate of anyone and never been divorced, then the check for whether a caller is divorced will not work and even divorced soulmates will be able to claim Love token.
Vulnerability Details
Here is the isDivorced() function in Soulmate.sol which just checks whether msg.sender is divorced:
And here is the relevant portion of the claim() function in Airdrop.sol which is trying to check if the caller is divorced but inadvertently checks whether the address for Airdrop.sol is divorced since Airdrop.sol will be the msg.sender that calls isDivorced() in Soulmate.sol:
Impact
Soulmates that have divorced will still be able to collect Love tokens
Tools Used
Manual review
Recommendations
Refactor the claim() and isDivorced() functions as follows:
Lead Judging Commences
finding-isDivorced-wrong-check
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.