Vulnerability Details

affected line of code

In the mintProfile function

uint256 tokenId = ++_nextTokenId;

This current implementation uses a sequential ID generation system that increments a counter for each new profile mint. This predictable pattern allows malicious actors to:

• Front-run transactions to obtain specific IDs

  Uses a simple incrementing counter

• Provides no entropy or randomness

• Makes future IDs completely predictable

Below are a set of POC's that demonstrates the identified vulnerability

copy and paste this test into SoulboundProfileNFT.t.sol

and run it

This Number 1 test demonstrates the fundamental vulnerability by showing that:

The first mint always generates ID 1

The second mint always generates ID 2

The sequence is completely predictable and deterministic

This Number 2 test shows how an attacker can:

Monitor the blockchain for pending transactions

```See a user's mint transaction with ID 1`

Prepare their own mint transaction to get ID 2

Potentially manipulate market dynamics or token distribution

This Final test shows how multiple actors can:

Interact with the contract in sequence

Each reliably receive the next sequential ID

The sequence remains predictable even with multiple users````No randomness or unpredictability is introduced

Impact Assessment:

The vulnerability enables several attack vectors:

• Front-running Attacks
  Attackers can prepare transactions knowing exact IDs

• Strategic positioning in transaction queue

• Potential for ID-based market manipulation

Tools Used

manual review and foundry

Recommendations

• Uses multiple entropy sources for unpredictability

• Includes user-specific data to prevent ID collisions

• Implements blockhash from previous block to prevent miner manipulation