First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized Minting, Minting tokens without a valid soulmate

0xVinylDavyl

Summary

The mintSoulmateToken function in the Soulmate.sol contract allows attackers to mint tokens without a valid soulmate, leading to unauthorized token creation and potential manipulation of the soulmate system. This vulnerability could result in an inflated supply of NFTs and undermine the integrity of the Soulmate protocol.

Vulnerability Details

POC

function mintSoulmateToken() public returns (uint256) {

address soulmate = soulmateOf[msg.sender];

if (soulmate != address(0))

revert Soulmate__alreadyHaveASoulmate(soulmate);

address soulmate1 = idToOwners[nextID][0];

address soulmate2 = idToOwners[nextID][1];

if (soulmate1 == address(0)) {

idToOwners[nextID][0] = msg.sender;

ownerToId[msg.sender] = nextID;

emit SoulmateIsWaiting(msg.sender);

} else if (soulmate2 == address(0)) {

idToOwners[nextID][1] = msg.sender;

ownerToId[msg.sender] = nextID;

soulmateOf[msg.sender] = soulmate1;

soulmateOf[soulmate1] = msg.sender;

idToCreationTimestamp[nextID] = block.timestamp;

_mint(msg.sender, nextID++);

}

return ownerToId[msg.sender];

}

Impact

Unauthorized minting allows attackers to create tokens without a valid soulmate, leading to an inflated supply of NFTs and potential manipulation of the Soulmate protocol. This could undermine the integrity of the Soulmate system and erode trust among users.

Tools Used

No specific tools were used for this analysis.

Recommendations

Implement proper access control mechanisms to ensure that only authorized users can mint tokens. Validate the relationship between soulmates before allowing token minting to prevent unauthorized creations. Consider incorporating role-based access control to restrict minting privileges to authorized individuals or entities.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.