Reentrancy vulnerability in `SoulboundProfileNFT.mintProfile()` allows multiple NFT minting
Description:
The mintProfile() function in SoulboundProfileNFT.sol is vulnerable to reentrancy attacks due to state updates occurring after the _safeMint() call, which includes a callback to the recipient. This callback could be exploited by a malicious contract to mint multiple NFTs before the state variables are updated.
While the function includes a check require(profileToToken[msg.sender] == 0), this check can be bypassed during reentrancy since profileToToken mapping is updated after the external call.
Impact:
Attacker could create multiple profiles, undermining the "one-address-one-profile" principle
Inconsistent state in profileToToken mapping
burnProfile() and blockProfile() functions would only work with the latest profile
Broken profile management system
Recommended Mitigation:
-
Implement Checks-Effects-Interactions pattern
function mintProfile(string memory name, uint8 age, string memory profileImage) external nonReentrant {require(profileToToken[msg.sender] == 0, "Profile already exists");uint256 tokenId = ++_nextTokenId;// Update state before external call_profiles[tokenId] = Profile(name, age, profileImage);profileToToken[msg.sender] = tokenId;// External call after state updates_safeMint(msg.sender, tokenId);emit ProfileMinted(msg.sender, tokenId, name, age, profileImage);} -
Add ReentrancyGuard from OZ
Appeal created
finding_mintProfile_reentrancy
Likelihood: High, anyone can do it. Impact: Low, several profile will be minted, which is not allowed by the protocol, but only the last one will be stored in profileToToken and won't affect `likeUser` or `matchRewards`.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.