Anyone can claim staking rewards corresponding to token 0
Summary
External users can claim staking rewards of LoveTokens in StakingVault without being a couple of soulmates (or a soulmate at all). As there is no check if msg.sender is a soulmate, external user can claim staking rewards corresponding to tokenId 0
Vulnerability Details
The attacker deposit some LoveTokens in the Staking.sol contract
The attacker can claim an staking rewards without being a soulmate:
As the attacker isn't a soulmate soulmateContract.ownerToId(msg.sender) this will be equal to 0 , the next steps will happens like the attacker is the owner of token 0
lastClaim[msg.sender] is then equals to the creationTimestamp of token 0
Then the uint256 amountToClaim = userStakes[msg.sender] * timeInWeeksSinceLastClaim; is not 0, resulting in
to transfer tokens without reverting
Impact
Anyone can claim staking rewards corresponding to token 1
To go further : a loop doing the exploit starting with 1 LoveToken the 1rst week would need only 29 iterations to empty the 500 000 000 tokens (creating a new account each time)
Tools Used
Manual review
Recommendations
Check if msg.sender has a soulmate
Lead Judging Commences
finding-claimRewards-nft-0-lastClaim
High severity, as it allows any pending user to claim staking rewards without owning a soulmate NFT by - Obtaining love tokens on secondary markets - Transfer previously accrued love tokens via airdrops/rewards to another account and abusing the `deposit()` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.