First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

No NFT is minted to soulmate1

happyformerlawyer

Summary

Each person who calls mintSoulmateToken() in Soulmate.sol is supposed to receive a soulbound NFT, but only soulmate2 will receive one. This is because _mint() (inherited from ERC721.sol) is only called when there is a soulmate already waiting (see code below). If you are soulmate1 you will not get an NFT.

Vulnerability Details

Here is the relevant portion of the mintSoulmateToken() function - an NFT is minted to soulmate2 in the else if statement but no NFT is minted to `soulmate`` in either the if statement or the else if statement.

address soulmate1 = idToOwners[nextID][0];

address soulmate2 = idToOwners[nextID][1];

if (soulmate1 == address(0)) {

idToOwners[nextID][0] = msg.sender;

ownerToId[msg.sender] = nextID;

emit SoulmateIsWaiting(msg.sender);

} else if (soulmate2 == address(0)) {

idToOwners[nextID][1] = msg.sender;

// Once 2 soulmates are reunited, the token is minted

ownerToId[msg.sender] = nextID;

soulmateOf[msg.sender] = soulmate1;

soulmateOf[soulmate1] = msg.sender;

idToCreationTimestamp[nextID] = block.timestamp;

emit SoulmateAreReunited(soulmate1, soulmate2, nextID);

_mint(msg.sender, nextID++);

}

Impact

The protocol does not function as expected and half the users won't receive an NFT. Also, you will be unable to use any features of the protocol that depend on you having the NFT in your account.

Tools Used

Manual review

Recommendations

Make the following addition so an NFT is also minted to soulmate1...also don't iterate to nextID++ until after the NFT is minted:

else if (soulmate2 == address(0)) {

idToOwners[nextID][1] = msg.sender;

// Once 2 soulmates are reunited, the token is minted

ownerToId[msg.sender] = nextID;

soulmateOf[msg.sender] = soulmate1;

soulmateOf[soulmate1] = msg.sender;

idToCreationTimestamp[nextID] = block.timestamp;

emit SoulmateAreReunited(soulmate1, soulmate2, nextID);

_mint(msg.sender, nextID);

_mint(soulmate1, nextID);

nextID++;

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.