First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Users can become soulmates with themselves, can deplete protocol funds by generating a lot of self-paired soulmates

paprikrumplikas

Summary

Soulmate::mintSoulmateToken is designed to facilitate the pairing of users with their soulmates. However, due to a flaw in the implementation, it is possible for a user to become their own soulmate, which contradicts the intended functionality and logic of creating interpersonal connections between different participants.

Vulnerability Details

The vulnerability arises from the lack of checks within the mintSoulmateToken function to prevent a user from being paired with themselves. By calling mintSoulmateToken twice in succession without any intervening action, a user can bypass the intended pairing logic and end up being recorded as their own soulmate. This issue is demonstrated in the provided test code, where user1 successfully becomes their own soulmate after calling mintSoulmateToken twice:

function test_usersCanBecomeTheirOwnSoulmate() public {
vm.prank(user1);
soulmateContract.mintSoulmateToken();
vm.prank(user1);
soulmateContract.mintSoulmateToken();
assertEq(user1, soulmateContract.soulmateOf(user1));
}

Impact

Allowing users to become their own soulmates undermines the core purpose of the Soulmate contract and can have a number of undesirable effects:

  1. Distorts Contract Logic: The fundamental logic and purpose of the contract are compromised, as the system is designed to foster connections between different users, not self-associations.

  2. A malicious user can generate numerous self-paired soulmates. Creating self-paired soulmates can lead to unwarranted extraction of resources, such as claiming airdrops meant for genuinely paired users. This not only depletes the resources available for legitimate users but also inflates participation metrics, potentially draining the contract's assets.

Tools Used

Manual review.

Recommendations

Include a check that prevents a user from being paired with themselves:

function mintSoulmateToken() public returns (uint256) {
// Check if people already have a soulmate, which means already have a token
address soulmate = soulmateOf[msg.sender];
if (soulmate != address(0)) {
revert Soulmate__alreadyHaveASoulmate(soulmate);
}
address soulmate1 = idToOwners[nextID][0];
address soulmate2 = idToOwners[nextID][1];
if (soulmate1 == address(0)) {
idToOwners[nextID][0] = msg.sender;
ownerToId[msg.sender] = nextID;
emit SoulmateIsWaiting(msg.sender);
} else if (soulmate2 == address(0)) {
+ require(msg.sender != soulmate1, "Can't be your own soulmate!");
idToOwners[nextID][1] = msg.sender;
// Once 2 soulmates are reunited, the token is minted
ownerToId[msg.sender] = nextID;
soulmateOf[msg.sender] = soulmate1;
soulmateOf[soulmate1] = msg.sender;
idToCreationTimestamp[nextID] = block.timestamp;
emit SoulmateAreReunited(soulmate1, soulmate2, nextID);
_mint(msg.sender, nextID++);
}
return ownerToId[msg.sender];
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-self-soulmate

- Given the native anonymous nature of blockchain in general, this issue cannot be avoided unless an explicit whitelist is implemented. Even then we can only confirm soulmates are distinct individuals via kyc. I believe finding a soulmate is intended to be permisionless. - However, even though sufficient (500_000_000e18 in each vault) tokens are minted to claim staking and airdrop rewards, it would take 500_000_000 / 2 combined weeks for airdrop vault to be drained which is not unreasonable given there are [80+ million existing wallets](https://coinweb.com/trends/how-many-crypto-wallets-are-there/). Given there is no option to mint new love tokens, this would actually ruin the functionality of the protocol of finding soulmates and shift the focus to abusing a sybil attack to farming airdrops instead. Assigning medium severity for now but am open for appeals otherwise, since most if not all issues lack indepth analysis of the issue.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.