First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Message Tampering in the `writeMessageInSharedSpace` function allowing any soulmates with the same NFT ID to write messages in a shared space.

0xVinylDavyl

Summary

The writeMessageInSharedSpace function in the Soulmate contract allows any soulmates with the same NFT ID to write messages in a shared space. However, this lack of validation opens the possibility for attackers to tamper with messages, potentially spreading misinformation or malicious content within the shared space.

Vulnerability Details

The vulnerability arises from the unrestricted access to the writeMessageInSharedSpace function, which allows any address with a valid NFT ID to write messages without proper validation. This lack of validation creates a potential avenue for attackers to manipulate or tamper with messages stored in the shared space.

/// @notice Allows any soulmates with the same NFT ID to write messages in a shared space.
/// @param message The message to write in the shared space.
function writeMessageInSharedSpace(string calldata message) external {
uint256 id = ownerToId[msg.sender];
sharedSpace[id] = message;
emit MessageWrittenInSharedSpace(id, message);
}

This function does not perform any validation to ensure that the caller is authorized to write messages for the given NFT ID. As a result, any address with a valid NFT ID can manipulate or tamper with messages stored in the shared space.

Impact

  • Misinformation: Attackers could modify messages to spread false or misleading information within the shared space.

  • Reputation Damage: Tampered messages could harm the reputation of the Soulmate platform and cause distrust among users.

  • Confusion: Users may become confused or misled by tampered messages, leading to a breakdown in communication and trust within the community.

Tools Used

Manual code review and analysis.

Recommendations

Implement message validation mechanisms to ensure that only authorized users can write messages and prevent tampering with shared messages. Utilize cryptographic techniques such as digital signatures or hashing to verify message integrity before accepting them into the shared space.

It is essential to implement proper authentication and authorization mechanisms in the writeMessageInSharedSpace function. Below is an example of how you can enhance the function to include validation checks:

/// @notice Allows authorized soulmates to write messages in a shared space.
/// @param message The message to write in the shared space.
function writeMessageInSharedSpace(string calldata message) external {
uint256 id = ownerToId[msg.sender];
// Check if the caller is the owner of the NFT ID
require(id != 0, "Caller does not own a soulbound NFT.");
// Perform additional validation or permission checks here if needed
sharedSpace[id] = message;
emit MessageWrittenInSharedSpace(id, message);
}

In addition to basic ownership checks, implement more sophisticated authorization logic based on specific roles or permissions. Furthermore, consider integrating cryptographic techniques such as digital signatures or hashing to verify message integrity before accepting them into the shared space. This would add an extra layer of security and help prevent unauthorized message tampering.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.