`Soulmate::mintSoulmateToken()` allows anyone to soulmate with himself
Summary
Anyone can soulmate with himself.
Vulnerability Details
Due to the missing check when the second person calls Soulmate::mintSoulmateToken(), the first soulmate can call the function twice and soulmate with himself.
Impact
Even if this doesn't break the other functionalities in major ways, it goes against the protocol's main goal (soulmate with another random individual).
Tools Used
Add the following uint test to SoulmateTest.t.sol:
Recommendations
Add the missing check in the else if block of the function:
Alternatively you can also add this line after the memory variable soulmate1 is initialised to save some gas:
Lead Judging Commences
finding-self-soulmate
- Given the native anonymous nature of blockchain in general, this issue cannot be avoided unless an explicit whitelist is implemented. Even then we can only confirm soulmates are distinct individuals via kyc. I believe finding a soulmate is intended to be permisionless. - However, even though sufficient (500_000_000e18 in each vault) tokens are minted to claim staking and airdrop rewards, it would take 500_000_000 / 2 combined weeks for airdrop vault to be drained which is not unreasonable given there are [80+ million existing wallets](https://coinweb.com/trends/how-many-crypto-wallets-are-there/). Given there is no option to mint new love tokens, this would actually ruin the functionality of the protocol of finding soulmates and shift the focus to abusing a sybil attack to farming airdrops instead. Assigning medium severity for now but am open for appeals otherwise, since most if not all issues lack indepth analysis of the issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.