DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Input Validation in Profile Minting (Allows Blank Profiles) in Soulbound NFT

kweks

Description:
The mintProfile function in the Dating DApp does not validate user inputs for name and profileImage, allowing users to mint profiles with empty values. This can lead to spam, fake accounts, and poor user experience. The function currently only checks if the user has already minted a profile but does not enforce constraints on the provided metadata.

Impact:

  • Users can create blank profiles with no name or image, reducing the credibility of the dating platform.

  • The UI may break or display empty profiles, affecting the user experience.

  • On-chain storage is wasted by storing meaningless profile data.

  • Potential increase in spam and bot accounts, reducing the overall quality of interactions.

Proof of Code:

function testMintProfile_AllFieldsEmpty_ShouldSucceed() public {
vm.prank(user);
soulboundNFT.mintProfile("", 0, "");
}
function testMintProfile_EmptyName_ShouldSucceed() public {
vm.prank(user);
soulboundNFT.mintProfile("", 25, "https://example.com/image.png");
}
function testMintProfile_EmptyImage_ShouldSucceed() public {
vm.prank(user);
soulboundNFT.mintProfile("Alice", 25, "");
}
function testMintProfile_ZeroAge_ShouldSucceed() public {
vm.prank(user);
soulboundNFT.mintProfile("Alice", 0, "https://example.com/image.png");
}

**Proof of Concept: **

Step 1: Identify the Weakness

  • The mintProfile function does not check if the name, profileImage, or age are empty or invalid.

  • This means a user can submit an empty or nonsensical profile.

Step 2: Create a Malicious or Spam Profile

  • A user (or bot) calls mintProfile("", 0, ""), providing empty values for all fields.

  • The contract does not revert, so the transaction succeeds.

  • A blank profile is now minted on-chain.

Step 3: Spam the Platform with Fake Profiles

  • Since there are no restrictions, an attacker can automate profile creation using multiple wallets.

  • This can be done through a simple script that calls mintProfile repeatedly, creating thousands of empty or fake accounts.

  • The DApp’s profile database is now filled with meaningless or fraudulent profiles.

Step 4: UI & Reputation Impact

  • When legitimate users browse profiles, they may see blank profiles or profiles with nonexistent images.

  • This reduces trust and engagement, making the DApp look low-quality or unmoderated.

  • The platform relies on NFT-based verification, it becomes less effective, as malicious actors can generate endless fake profiles.

Step 5: Potential Monetization by an Attacker

  • If the platform has profile ranking or matching mechanisms, an attacker could inflate visibility by creating many fake profiles linked to their real one.

  • If users must pay to interact, attackers could trick others into spending ETH on fake profiles.

Recommended Mitigation:
Implement validation checks to ensure name and profileImage are not empty:

require(bytes(name).length > 0, "Name cannot be empty");
require(bytes(profileImage).length > 0, "Profile image cannot be empty");

Optionally, an age restriction can be added:

require(age > 17, "Must be at least 18 to register");

These changes will ensure that every profile has meaningful identity data, improving the platform’s integrity and usability.

Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.