`Soulmate::_mint()` can cause NFT to be frozen in a contract if not supported by soulmate's contract
Summary
Soulmate::_mint() can cause NFT to be frozen in a contract if not supported by soulmate's contract.
Vulnerability Details
In Soulmate::mintSoulmateToken() function it calls the _mint function from ERC721 contract by openZeppelin to mint a Soulbound Token for the newly formed soulmates.
However if the soulmate's contract does not support ERC721 tokens it could result in the NFT being frozen in the contract.
As per the documentation of EIP-721:
A wallet/broker/auction application MUST implement the wallet interface if it will accept safe transfers.
Ref: https://eips.ethereum.org/EIPS/eip-721
As per the documentation of ERC721.sol by Openzeppelin
Impact
NFT being frozen in a contract if not supported by the soulmate's contract.
Tools Used
Manual Review
Recommendations
It is adviced to use ERC721::_safeMint() instead of ERC721::_mint().
Lead Judging Commences
finding-safemint
Low severity, - If a user utilizes an EOA, the check is not required. - If a user utilizes a contract that they own to mint soulmate tokens, than check is required. However, this would rely on user error minting. Since there is no mention that ownership of token must be from EOAs, I believe low severity is appropriate.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.