First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Open access on `getDivorce` can make token id `0` to end up divorced

0x4non

Summary

Any user, regardless of their soulmate status or NFT ownership, to invoke the getDivorced function. This issue can lead to unauthorized state changes affecting the integrity of soulmate pairings and NFT ownership.

Vulnerability Details

getDivorced function, which lacks necessary checks to ensure that the caller is part of an existing soulmate pair and owns a corresponding NFT. As implemented, the function sets the divorced state to true for the caller and their supposed soulmate without verifying a valid soulmate relationship. This means any address can call getDivorced, inadvertently impacting the soulmate pairing logic and potentially causing confusion or manipulation of the intended "soulbound" relationship dynamics.

POC

function test_getDiverocedOpenAccess() public {

vm.prank(soulmate1);

soulmateContract.mintSoulmateToken();

vm.prank(soulmate2);

soulmateContract.mintSoulmateToken();

assertTrue(soulmateContract.totalSupply() == 1);

// this will emit CoupleHasDivorced(soulmate1, 0x000);

// @audit im not `soulmate1` or `soulmate2` but still i get divoroced

soulmateContract.getDivorced();

assertFalse(soulmateContract.isDivorced(), "should not be divorced");

}

Impact

A user can be divorced before even having a soulmate, and the been in an asymetric relation with his soulmate (he been divorced while the partner isnt)

Tools Used

Manual revision

Recommendations

Add a check to ensure the user has a Soulmate NFT minted.

diff --git a/src/Soulmate.sol b/src/Soulmate.sol

index 88ac66d..2f3629d 100644

--- a/src/Soulmate.sol

+++ b/src/Soulmate.sol

@@ -123,6 +123,7 @@ contract Soulmate is ERC721 {

/// @notice Cancel possibily for 2 lovers to collect LoveToken from the airdrop.

function getDivorced() public {

address soulmate2 = soulmateOf[msg.sender];

+ require(soulmate2 != address(0), "You are not married");

+ require(divorced[msg.sender] == false, "already divorced");

divorced[msg.sender] = true;

divorced[soulmateOf[msg.sender]] = true;

emit CoupleHasDivorced(msg.sender, soulmate2);

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.