You can be your own soulmate
Summary
If a user calls the mintSoulmateToken function 2 times, it is possible that he becomes his own soulmate
Vulnerability Details
When a user calls mintSoulmateToken (and no one is waiting to be reunited), he becomes the "soulmate1" in the couple, and if he calls the function again, there is nothing that will prevent him to become the "soulmate2" of the couple. He is then soulmate1 and soulmate2.
Impact
No impact on the other mechanics, but it breaks the concept of the token.
Tools Used
Manual Review
Recommendations
check if soulmate1 is msg sender before setting him to soulmate2
Lead Judging Commences
finding-self-soulmate
- Given the native anonymous nature of blockchain in general, this issue cannot be avoided unless an explicit whitelist is implemented. Even then we can only confirm soulmates are distinct individuals via kyc. I believe finding a soulmate is intended to be permisionless. - However, even though sufficient (500_000_000e18 in each vault) tokens are minted to claim staking and airdrop rewards, it would take 500_000_000 / 2 combined weeks for airdrop vault to be drained which is not unreasonable given there are [80+ million existing wallets](https://coinweb.com/trends/how-many-crypto-wallets-are-there/). Given there is no option to mint new love tokens, this would actually ruin the functionality of the protocol of finding soulmates and shift the focus to abusing a sybil attack to farming airdrops instead. Assigning medium severity for now but am open for appeals otherwise, since most if not all issues lack indepth analysis of the issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.