First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Anyone could leave a message to the nft id 0

0x4non

Summary

The Soulmate contract enables soulmates to mint Soulbound NFTs, share messages in a blockchain-based shared space, and engage in various interactions symbolizing a digital partnership. There's a critical oversight in the writeMessageInSharedSpace function that allows unauthorized message writing to the shared space of the first minted NFT (ID 0), even by users who do not own any NFT.

Vulnerability Details

The vulnerability arises from the lack of validation in the writeMessageInSharedSpace function. This function uses the ownerToId mapping to determine the NFT ID associated with the caller's address and allows them to write a message to the shared space corresponding to that ID. Since the default value of an uninitialized uint256 in the ownerToId mapping is 0, any address without a corresponding NFT can write a message to the shared space of NFT ID 0. This behavior is unintended and allows for unauthorized message modifications.

Impact

This vulnerability compromises the integrity of the shared space, particularly for the first NFT (ID 0), This could lead to spam, offensive content, or unwanted messages being associated with the NFT owned by the initial soulmate pair, undermining the trust and security of the platform.

POC

function test_writeMessage() public {

vm.prank(soulmate1);

soulmateContract.mintSoulmateToken();

vm.prank(soulmate2);

soulmateContract.mintSoulmateToken();

assertTrue(soulmateContract.totalSupply() == 1);

soulmateContract.writeMessageInSharedSpace("send nud3s");

vm.prank(soulmate2);

string memory message = soulmateContract.readMessageInSharedSpace();

console2.log(message);

// WTF ???

}

Tools Used

Manual revision

Recommendations

To mitigate this issue and prevent unauthorized access to the shared space, the contract should include a validation check

diff --git a/src/Soulmate.sol b/src/Soulmate.sol

index 88ac66d..553f6c8 100644

--- a/src/Soulmate.sol

+++ b/src/Soulmate.sol

@@ -105,6 +105,7 @@ contract Soulmate is ERC721 {

/// @param message The message to write in the shared space.

function writeMessageInSharedSpace(string calldata message) external {

uint256 id = ownerToId[msg.sender];

+ require(soulmateOf[msg.sender] != address(0), "You need a soulmate to write a message");

sharedSpace[id] = message;

emit MessageWrittenInSharedSpace(id, message);

}

This will ensure that user has an NFT (because it has a soulmate), but will be better to use the id 0 as an invalid nft and start the minting ids from 1.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-write-message-nft-0-id

Medium Severity, This has an indirect impact and influence on the possibility of divorce between soulmates owning the first soulmate NFT id0, leading to permanent loss of ability to earn airdrops/staking rewards.

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.