First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized Airdrop Claims Due to Missing Ownership Verification

0x4non

Summary

The Airdrop contract in the current LoveToken ecosystem is designed to allow holders of Soulmate NFTs to claim LoveTokens on a daily basis, underpinning a unique engagement model that rewards sustained relationships. However, the absence of an explicit ownership check for Soulmate NFTs within the claim function permits any address to trigger the airdrop claim process, potentially leading to unauthorized LoveToken acquisition.

Vulnerability Details

The core issue resides in the claim function, which lacks a crucial verification step to ensure that the caller is indeed the owner of a Soulmate NFT. The function soulmateContract.isDivorced() is invoked to check the divorce status of a couple but fails to ascertain if the caller possesses a Soulmate NFT. This oversight allows any user to execute the claim function, disregarding the intended restriction that only Soulmate NFT owners are eligible for the daily LoveToken airdrop.

POC

function test_Claim() public {

vm.warp(block.timestamp + 200 days + 1 seconds);

airdropContract.claim();

assertEq(loveToken.balanceOf(address(this)), 0);

}

Impact

This vulnerability could lead to several adverse outcomes, including but not limited to:

Dilution of LoveToken value due to unauthorized claim and distribution.
Erosion of trust among legitimate NFT holders regarding the exclusivity and benefits of holding Soulmate NFTs.
Potential depletion of the LoveToken reserves allocated for the airdrop, denying rightful claims by actual NFT owners.

Tools Used

Manual code review.

Recommendations

To mitigate this vulnerability and prevent unauthorized LoveToken claims, implement an ownership verification step within the claim function. This can be achieved by adding a check to confirm that the caller owns a Soulmate NFT before proceeding with the claim process. Also, minting ids should start from 1, Here's an enhanced version of the critical part of the claim function:

// Ensure the caller is an owner of at least one Soulmate NFT.

uint256 soulmateId = soulmateContract.ownerToId(msg.sender);

if (soulmateId == 0) revert NotASoulmateOwner();

// Proceed with the existing logic...

It's important to ensure that the ownerToId function in the ISoulmate contract accurately reflects ownership of Soulmate NFTs, returning a non-zero identifier only for legitimate owners. This modification introduces an additional gas cost for the ownership check but significantly enhances the security and integrity of the airdrop mechanism.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-claim-airdrop-without-owning-NFT

High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.