Lack of check for soulmate address in Soulmate :: readMessageInSharedSpace() function so that it will contain privacy issues for the person which have NFT ID is zero.
Summary
Soulmate :: readMessageInSharedSpace() function allows any soulmates with the same NFT ID to read in a shared space on blockchain but it will contain privacy issues for the address which have zero NFT ID.
Vulnerability Details
In Soulmate :: readMessageInSharedSpace() function we are checking for soulmate by ownerToId[msg.sender]. But what if any third person can read your message.Its possible when
(a). You are the first person which call mint soulmate token before you anybody is not minted any token.So that your NFT ID contains zero value. (Here two soulmates are alice and charlie). It means any person which have zero value of NFT ID can read your message.
(b). If I am any third person bob which not call mint soulmate function. So that NFT ID of bob is also zero.
According to function working bob have the rights to read the message written by alice for charlie.
Code Snippet
/// @notice Allows any soulmates with the same NFT ID to read in a shared space on blockchain.
function readMessageInSharedSpace() external view returns (string memory) {
// Add a little touch of romantism
return
string.concat(
sharedSpace[ownerToId[msg.sender]],
", ",
niceWords[block.timestamp % niceWords.length]
);
}
Impact
The impact is that the person with zero NFT ID have lack of privacy for their message.
POC
function test_ThirdpersoncanReadSharedSpace() public {
vm.prank(alice);
soulmateContract.mintSoulmateToken();
vm.prank(charlie);
soulmateContract.mintSoulmateToken();
vm.prank(alice);
soulmateContract.writeMessageInSharedSpace("Buy some eggs");
vm.prank(charlie);
string memory message = soulmateContract.readMessageInSharedSpace();
string[4] memory possibleText = [
"Buy some eggs, sweetheart",
"Buy some eggs, darling",
"Buy some eggs, my dear",
"Buy some eggs, honey"
];
bool found;
for (uint i; i < possibleText.length; i++) {
if (compare(possibleText[i], message)) {
found = true;
break;
}
}
console2.log(message);
assertTrue(found);
vm.prank(bob);
string memory message1 = soulmateContract.readMessageInSharedSpace();
string[4] memory possibleText1 = [
"Buy some eggs, sweetheart",
"Buy some eggs, darling",
"Buy some eggs, my dear",
"Buy some eggs, honey"
];
bool found1;
for (uint i; i < possibleText1.length; i++) {
if (compare(possibleText1[i], message1)) {
found1 = true;
break;
}
}
console2.log(message1);
assertTrue(found1);
}
Tools Used
Foundry
Recommendations
Recommendation to check for soulmate address existence.
/// @notice Allows any soulmates with the same NFT ID to read in a shared space on blockchain.
function readMessageInSharedSpace() external view returns (string memory) {
// Add a little touch of romantism
address soulmate2 = soulmateOf[msg.sender];
require(soulmate2!=address(0));
return
string.concat(
sharedSpace[ownerToId[msg.sender]],
", ",
niceWords[block.timestamp % niceWords.length]
);
}
POC :
function test_ThirdpersoncannotReadSharedSpace() public {
vm.prank(alice);
soulmateContract.mintSoulmateToken();
vm.prank(charlie);
soulmateContract.mintSoulmateToken();
vm.prank(alice);
soulmateContract.writeMessageInSharedSpace("Buy some eggs");
vm.prank(charlie);
string memory message = soulmateContract.readMessageInSharedSpace();
string[4] memory possibleText = [
"Buy some eggs, sweetheart",
"Buy some eggs, darling",
"Buy some eggs, my dear",
"Buy some eggs, honey"
];
bool found;
for (uint i; i < possibleText.length; i++) {
if (compare(possibleText[i], message)) {
found = true;
break;
}
}
console2.log(message);
assertTrue(found);
vm.prank(bob);
vm.expectRevert();
string memory message1 = soulmateContract.readMessageInSharedSpace(); }
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.