Submission Details
Severity:
No NFT ownership check on `Soulmate.sol::writeMessageInSharedSpace`.
Summary There is no check on Soulmate.sol::writeMessageInSharedSpace. Although it does reference a mapping if a user does not exist in the mapping it would return a zero. Allowing for a non-owner of NFT id 0 to write to the shared space.
Vulnerability Details
An individual who does not own any NFT can still right in sharedSpace[0].
Impact
The owners of NFT 0 now have their shared space open to any malicious individual who wishes to write in their space, breaking the protocol for these users
Tools Used
Foundry
Recommendations
It is recommended to have a check to see if the owner does own a NFT before allowing them to write in the shared space.
function writeMessageInSharedSpace(string calldata message) external {
//@audit no chekc if owner actually has an nft, ie zero id anyone can write to it
+ if(balanceOf(msg.sender) == 0) {revert;} //AP
uint256 id = ownerToId[msg.sender];
sharedSpace[id] = message;
emit MessageWrittenInSharedSpace(id, message);
}
Updates
Lead Judging Commences
0xnevi over 1 year ago
Submission Judgement Published Assigned finding tags:
finding-write-message-nft-0-id
Medium Severity, This has an indirect impact and influence on the possibility of divorce between soulmates owning the first soulmate NFT id0, leading to permanent loss of ability to earn airdrops/staking rewards.
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.