Only every second soulmate gets an NFT
Summary
In the README is says: "The Soulbound NFT shared by soulmates used in the protocol" However, the only thing soulmates share is an ID in the idToOwners mapping. Only every second soulmate actually gets an NFT. It's like: "Let's buy a rembrand together 50-50, but we'll hang it at my house, forever" To add insult to injury, the idToOwners mapping is marked private, so there's not even an (easy) way to view or show your "indirect" ownership.
Impact
If owning the NFT is going to be a very coveted thing at some point, There might even grow a thing where users will try to "time" their entry into the "marriage" to make sure they are the second entrant in a pair.
Proof of Concept
Please paste this test at the bottom in SoulmateTest.t.sol and run: forge test --mt test_onlySoulmate2GetsNFT -vvvvv
stack-trace: emit Transfer(from: 0x0000000000000000000000000000000000000000, to: soulmate2: [0xe93A5E9F20AF38E00a08b9109D20dEc1b965E891], id: 0)
Tools Used
manual review
Recommendations
One option is to mint 2 NFT's with cross-refrencing meta-data per couple and send each soulmate one. Or, wile the README claims: "It is used by Airdrop.sol and Staking.sol to know how long the couple are in love." Since this is only half-true at best, the protocol could choose to completely get rid of the NFT's and just keep the mapping of id to soulmates [2].
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.