First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reliance on `block.timeStamp` in `Airdrop::claim` for couple duration exposes risk to malicious users thus risking unfair token distribution.

oxenzo

Description: This function calculates token rewards based on the duration of a couple's relationship using block.timeStamp, which is susceptible to manipulation by miners. This vulnerability can lead to unfair token distribution, compromising the airdrop's integrity and security.

function claim() public {
if (soulmateContract.isDivorced()) revert Airdrop__CoupleIsDivorced();
uint256 numberOfDaysInCouple = (
@> block.timestamp - soulmateContract.idToCreationTimestamp(soulmateContract.ownerToId(msg.sender))
) / daysInSecond;
uint256 amountAlreadyClaimed = _claimedBy[msg.sender];
if (amountAlreadyClaimed >= numberOfDaysInCouple * 10 ** loveToken.decimals()) {
revert Airdrop__PreviousTokenAlreadyClaimed();
}
uint256 tokenAmountToDistribute = (numberOfDaysInCouple * 10 ** loveToken.decimals()) - amountAlreadyClaimed;
if (tokenAmountToDistribute >= loveToken.balanceOf(address(airdropVault))) {
tokenAmountToDistribute = loveToken.balanceOf(address(airdropVault));
}
_claimedBy[msg.sender] += tokenAmountToDistribute;
emit TokenClaimed(msg.sender, tokenAmountToDistribute);
loveToken.transferFrom(address(airdropVault), msg.sender, tokenAmountToDistribute);
}

Impact: This exploit allows miners to manipulate couple duration, potentially enabling unfair token distribution and compromising airdrop integrity.

Proof of Concept:

  1. Both the attacker and a soulmate mint a Soulmate token.

  2. The attacker can then skew the block.timeStamp variable to a desired value to ensure a huge difference in the accurate current time.

  3. The attacker then calls on the Airdrop::claim function with the manipulated block.timeStamp variable causing the numberOfDaysInCouple calculation to yield a larger value than the actual duration of the couple's relationship.

  4. As a result, the function calculates a higher tokenAmountToDistribute, potentially exceeding the available balance in the airdrop vault.

  5. The function then transfers tokens based on the manipulated calculation, allowing the attacker to claim an unfair amount of tokens.

Proof Of Code

Place the following into the AirdropTest.t.sol.

function test_getMorethanOneLoveTokenByAlteringTimeStamp() public {
vm.warp(1 days);
vm.prank(attacker);
soulmateContract.mintSoulmateToken();
vm.prank(soulmate2);
soulmateContract.mintSoulmateToken();
vm.warp(900000000000000 days);
vm.startPrank(attacker);
airdropContract.claim();
console.log("Claimed LoveTokens Amount: ", loveToken.balanceOf(attacker));
vm.stopPrank();
// ......
// The more days the attacker uses to manipulate the block.timeStamp, the more tokens the airdrop vault assigns to the attacker thus making the attacker potentially exceed the LoveToken balance of the airdropVault
}

Note: The attacker adjusted the block.timeStamp to a high amount of days(900_000_000_000_000 days), to get an unfair Lovetoken acquirance of worth 500_000_000.

Recommended Mitigation: Consider using an off-chain Oracle to get the accurate present time for claiming a LoveToken token.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.