First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Denial of Service (DoS) in the getDivorced function allowing users to cancel the possibility for two lovers to collect LoveToken from the airdrop. could result in financial losses

0xVinylDavyl

Summary

The getDivorced function in the Soulmate protocol allows users to cancel the possibility for two lovers to collect LoveToken from the airdrop. However, this functionality can be exploited by malicious users to launch a Denial of Service (DoS) attack, disrupting the Soulmate protocol and preventing legitimate users from claiming rewards.

Vulnerability Details

The vulnerability arises from the lack of rate limiting or access controls in the getDivorced function, which allows users to call it repeatedly without any restrictions. Below is the function:

/// @notice Cancel the possibility for two lovers to collect LoveToken from the airdrop.

function getDivorced() public {

address soulmate2 = soulmateOf[msg.sender];

divorced[msg.sender] = true;

divorced[soulmateOf[msg.sender]] = true;

emit CoupleHasDivorced(msg.sender, soulmate2);

}

This function can be called multiple times by the same user or different users, leading to a significant disruption in the Soulmate protocol's functionality.

Impact

Disruption of the Soulmate protocol's functionality.
Prevention of legitimate users from claiming LoveToken rewards.
Financial losses for users relying on LoveToken rewards for staking or other purposes.

Tools Used

Through code review and analysis.

Recommendations

To mitigate the risk of DoS attacks, it is recommended to implement rate limiting or access controls in the getDivorced function. Sample of to enhance the function to include rate limiting:

/// @notice Cancel the possibility for two lovers to collect LoveToken from the airdrop.

function getDivorced() public {

address soulmate2 = soulmateOf[msg.sender];

// Check if the caller has not already been divorced

require(!divorced[msg.sender], "Already divorced.");

// Perform additional rate limiting or access controls here if needed

divorced[msg.sender] = true;

divorced[soulmateOf[msg.sender]] = true;

emit CoupleHasDivorced(msg.sender, soulmate2);

}

Additionally, consider implementing mechanisms such as cooldown periods or gas cost adjustments to discourage repeated calls to this function. These measures will help protect the Soulmate protocol from DoS attacks and ensure the stability of the platform.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.