Submission Details
Severity:
Shared space of token 0 can be written and accessed by anyone not being a soulmate
Summary
Non-Users can read and write the shared space of token 0 (Non-Users = not a soulmate)
Vulnerability Details
function writeMessageInSharedSpace(string calldata message) external {
uint256 id = ownerToId[msg.sender];
sharedSpace[id] = message;
emit MessageWrittenInSharedSpace(id, message);
}
function readMessageInSharedSpace() external view returns (string memory) {
// Add a little touch of romantism
return
string.concat(
sharedSpace[ownerToId[msg.sender]],
", ",
niceWords[block.timestamp % niceWords.length]
);
}
In these function, if the msg.sender is not a soulmate, the ownerToId[msg.sender] will be equal to 0, and so the shared space that can be accessed is the one of token 0
Impact
Token 0 owners have their shared space accessible by anyone
Tools Used
Manual review
Recommendations
Check if msg.sender has a Soulmate
Updates
Lead Judging Commences
0xnevi over 1 year ago
Submission Judgement Published Assigned finding tags:
finding-write-message-nft-0-id
Medium Severity, This has an indirect impact and influence on the possibility of divorce between soulmates owning the first soulmate NFT id0, leading to permanent loss of ability to earn airdrops/staking rewards.
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.