Divorce involves just one user
Summary
The Soulmate contracts currently allow either member of a soulmate pairing to call a function to initiate a divorce. This allows one party to unilaterally break the soulbound relationship without agreement from the other individual.
Vulnerability Details
The divorce mechanism in the contracts uses the getDivorced() function. This can be called by just one of the paired soulmate addresses to initiate separation.
There is no two-way consent required - if Soulmate A calls getDivorced(), the link between A and their partner can be severed without any confirmation from the partner.
Impact
Allowing unilateral divorce in Soulmate has the following issues:
Breaches expected joint divorce agreements in real relationships
Enables bad actors griefing partner connections without mutual dissolutions
Harms user experience when links are severed unexpectedly/unfairly
This functionally works but does not align well with user expectations.
Tools Used
Manual Review
Recommendations
To better match real-world relationships:
Update getDivorced() to require both soulmates to approve ending the bond
Emit events on initiation and confirmation to ensure mutual consent
Create arbitration logic if both parties cannot agree on separation
Enforcing two-party confirmation prevents unilateral behavior and builds faith in the soulbinding notion.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.