DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unrestricted Age Parameter in mintProfile Function

rare__one

Summary

The mintProfile function in the SoulboundProfileNFT contract fails to enforce age restrictions, allowing users of any age—including minors—to mint a profile. This oversight can result in legal and ethical concerns, particularly in applications involving age-sensitive data, user privacy, and regulatory compliance.

Vulnerability Details

Function: mintProfile(string memory name, uint256 age, string memory profileImage)
Issue: The function does not validate the age parameter, allowing users to input any arbitrary value, including ages below legal thresholds.
Impact: Underage users can create profiles without restrictions, potentially leading to regulatory non-compliance in jurisdictions with age restrictions on digital identities.

Proof of Concept (PoC) Test

The following test case demonstrates that an underage user (age 10) can successfully mint a profile:

copy and paste this test into the SoulboundProfileNFT.t.soland run it

function testUnderageUserCanMintProfile() public {

vm.prank(user);

soulboundNFT.mintProfile("YoungUser", 10, "ipfs://profileImage");

uint256 tokenId = soulboundNFT.profileToToken(user);

assertEq(tokenId, 1, "Underage users should not be allowed to mint profiles");

}

Results

Ran 1 test for test/testSoulboundProfileNFT.t.sol:SoulboundProfileNFTTest

[PASS] testUnderageUserCanMintProfile() (gas: 178923)

Traces:

[178923] SoulboundProfileNFTTest::testUnderageUserCanMintProfile()

├─ [0] VM::prank(0x0000000000000000000000000000000000000123)

│ └─ ← [Return]

├─ [166428] SoulboundProfileNFT::mintProfile("YoungUser", 10, "ipfs://profileImage")

│ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: 0x0000000000000000000000000000000000000123, tokenId: 1)

│ ├─ emit ProfileMinted(user: 0x0000000000000000000000000000000000000123, tokenId: 1, name: "YoungUser", age: 10, profileImage: "ipfs://profileImage")

│ └─ ← [Stop]

├─ [630] SoulboundProfileNFT::profileToToken(0x0000000000000000000000000000000000000123) [staticcall]

│ └─ ← [Return] 1

├─ [0] VM::assertEq(1, 1, "Underage users should not be allowed to mint profiles") [staticcall]

│ └─ ← [Return]

└─ ← [Stop]

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 5.82ms (895.90µs CPU time)

Ran 1 test suite in 1.18s (5.82ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

The test passes, confirming that users below a reasonable age threshold can still mint profiles.

Impact Assessment

Legal & Regulatory Risks: Many jurisdictions enforce age restrictions on digital services. The absence of validation could make the platform non-compliant with laws such as COPPA (Children’s Online Privacy Protection Act) and GDPR (General Data Protection Regulation).
Ethical Concerns: Minors may not fully understand the implications of having a public profile tied to their identity.
Reputation Damage: A system that allows unrestricted age inputs can be exploited, leading to potential backlash from regulators and users.

Tools Used

manual review, foundry and my eyes

Recommendations

Recommended Mitigation

Enforce Age Restrictions:
- Introduce a minimum age requirement (e.g., 18) before allowing profile minting.
- Implement an age validation check within mintProfile.
require(age >= 18, "User must be at least 18 years old to mint a profile");
Off-Chain Age Verification:
- Integrate third-party identity verification services for age verification before allowing profile minting.
Age Input Validation:
- Limit age input to a realistic range (e.g., 18–90) to prevent nonsensical or exploitative values.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.