DatingDapp

Summary

The blockProfile function burns a user's profile but does not prevent them from re-registering with the same wallet. This allows a blocked user to create a new profile with the same details and bypass the restriction, making the blocking mechanism ineffective.

Vulnerability Details

The blockProfile function is designed to remove a user's profile by burning their NFT and deleting their profile metadata. However, there is no blacklist mechanism in place to prevent the same user from re-registering with the same wallet. This means that after being blocked, the user can simply call mintProfile again and create a new profile with a fresh NFT, effectively bypassing the blocking mechanism.

Since the platform uses soulbound NFTs as a verification system, this oversight weakens the integrity of the platform's moderation system, allowing spam accounts, banned users, or malicious actors to rejoin immediately after being blocked.

(Access Control Bypass / Ineffective Moderation)

Impact

• Spam & Abuse: Malicious actors can continuously create new profiles after being blocked.

• Trust & Security Risks: Fake accounts and scammers can keep rejoining the platform, undermining user trust.

• Ineffective Moderation: Users banned for violating platform rules can re-register instantly.

Tools Used

Manuel Review

Recommendations

Implement a blacklist mapping:

mapping(address => bool) public blacklist;

Modify mintProfile to reject blacklisted users:

require(!blacklist[msg.sender], "User is blocked");

Update blockProfile to add users to the blacklist:

blacklist[blockAddress] = true;