`Soulmate::mintSoulmateToken` MEV Bot vulnerability resulting in risk of transaction being front-run
Summary
The mintSoulmateToken function could be susceptible to front-running, where a malicious user could watch the transaction pool and attempt to become someone's soulmate by calling the function with the same nextID before the original transaction is confirmed.
Vulnerability Details
The miner can front-run the transaction by submitting a transaction with the same nextID before the original transaction is confirmed. The attacker can exploit this vulnerability to become the soulmate instead of the original user by calling the mintSoulmateToken function with the same nextID before the original user confirms the transaction or front-run the nextID to become the soulmate and steal the original user's funds.
Impact
This could result in the original transaction being reverted, and the malicious user becoming the soulmate instead. Additionally, unintended pairings via potential sandwich attacks can come about due to logical errors.
Tools Used
Manual review of smart contract code with Audit Wizard
Recommendations
This can be achieved by applying time locks in which participants can only call Soulmate::mintSoulmateToken after a certain period of time has passed since Soulmate::mintSoulmateToken was called. This would prevent attackers from front-running Soulmate::mintSoulmateToken and calling the mintSoulmateToken function before the legitimate user is selected.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.