If a user calls Soulmate::mintSoulmateToken
and is not matched by anyone, they can call Airdrop::claim
and receive love tokens proportional to the current block.timestamp
.
When a user calls Soulmate::mintSoulmateToken
and is not matched the ownerToId
mapping is initialized, however the idToCreationTimestamp
is not. Therefore if a user when minting soulmate token is not matched and calls Airdrop::claim
, the calculation of the number of days in couple given by
Will result in
Leading to the user being able to remove a great amount of Love Tokens.
Add the following test to BaseTest.t.sol
and run forge test --mt test_user_can_drain_funds
.
Anyone that mints a soulmate token without being immediately matched will be able to take great amounts of love tokens from the airdrop contract.
Foundry
To address this issue add a check to the airdrop contract that the second soulmate token has already been minted.
In ISoulmate.sol
In Airdrop.sol
High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.