First Flight #9: Soulmate
First Flight #9
Submission Details
Severity: high
ValidThe function claimRewards() fails to check whether the caller has a Soulmate, allowing any caller without a Soulmate to claim staking rewards belonging to the NFT owner with id 0.
Updates
Lead Judging Commences
Submission Judgement Published
Validated
Assigned finding tags:
finding-claimRewards-nft-0-lastClaim
High severity, as it allows any pending user to claim staking rewards without owning a soulmate NFT by - Obtaining love tokens on secondary markets - Transfer previously accrued love tokens via airdrops/rewards to another account and abusing the `deposit()` function
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
High
100 EXP
Medium
20 EXP
Low
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Community Judging
Submissions are being reviewed by the community.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.