Anyone can claim airdrop corresponding to token 0
Summary
External users can claim an airdrop of LoveTokens in AirdropVault without being a couple of soulmates (or a soulmate at all). As there is no check if msg.sender is a soulmate, external user can claim airdrops corresponding to tokenId 0
Vulnerability Details
The attacker can claim an airdrop without being a soulmate:
As the attacker isn't a soulmate soulmateContract.ownerToId(msg.sender) this will be equal to 0 , the next steps will happens like the attacker is the owner of token 0
numberOfDaysInCouple is then equals to the one of token 0
Then the uint256 tokenAmountToDistribute = (numberOfDaysInCouple * 10 ** loveToken.decimals()) - amountAlreadyClaimed; is not 0, resulting in
to be done without reverting
Impact
Anyone can be airdropped a certain amount of tokens.
Tools Used
Manual review
Recommendations
Check if msg.sender has a soulmate
Lead Judging Commences
finding-claim-airdrop-without-owning-NFT
High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.