NFT is not minted to the two users
Summary
The Soulmate contracts aim to mint non-fungible tokens (NFTs) representing the soulmate relationship between two users. However, the current implementation only mints the NFT to one user's wallet address. The other user must rely on a mapping structure to confirm their connection to the NFT.
Vulnerability Details
The minting process in Soulmate currently:
Mints an NFT to only one user address
Maps both user to the tokenId
This means the NFT itself only resides with one user, contrary to typical NFT ownership and transfers.
The other user has no wallet confirmation of NFT ownership beyond trusting the contract's mapping.
Impact
Minting to only one wallet address:
Breaks expectations of traditional NFT ownership transfers
Means one user must rely on trusting mapping integrity
Loses confirmation and visibility of direct wallet ownership for the second user
Tools Used
Manual Review
Recommendations
To align with typical NFT decentralized ownership:
Mint two paired non-fungible tokens to each user's wallet address
Create a bonding mechanism between the tokens in the contract code
This provides both users definitive proof of ownership through their wallet contents. Trust relies on contract logic, not extra mapping structures.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.