Submission Details
Severity:
Potential for Multiple Users to Share the Same Profile
Summary
There's no mechanism to prevent two or more users from having the same profile data (name, age, profile image), which could be exploited maliciously to impersonate others or create confusion.
Vulnerability Details
### PoC
Deploy the SoulboundProfileNFT contract.
As two different users (e.g., 0x123 and 0x456), mint profiles with identical data:
```solidity
soulboundNFT.mintProfile("John Doe", 30, "ipfs://profile1");
soulboundNFT.mintProfile("John Doe", 30, "ipfs://profile1");
```
Verify that both users can successfully mint profiles with the same data.
Add this to the test file
PoC Code:
```solidity
function testMultipleUsersSameProfile() public {
address user1 = address(0x123);
address user2 = address(0x456);
vm.deal(user1, 1 ether);
vm.deal(user2, 1 ether);
vm.prank(user1);
soulboundNFT.mintProfile("John Doe", 30, "ipfs://profile1");
vm.prank(user2);
soulboundNFT.mintProfile("John Doe", 30, "ipfs://profile1");
// Check if both users have minted profiles with the same data
uint256 tokenIdUser1 = soulboundNFT.profileToToken(user1);
uint256 tokenIdUser2 = soulboundNFT.profileToToken(user2);
assertNotEq(tokenIdUser1, 0, "User1 should have minted profile");
assertNotEq(tokenIdUser2, 0, "User2 should have minted profile");
}
```
The Result
```solidity
[⠊] Compiling...
No files changed, compilation skipped
Ran 1 test for test/testSoulboundProfileNFT.t.sol:SoulboundProfileNFTTest
[PASS] testMultipleUsersSameProfile() (gas: 327211)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 3.60ms (1.35ms CPU time)
```
Explanation:
This PoC shows that the contract allows multiple users to create profiles with identical data, which could be exploited for impersonation or to confuse other users.
Without unique constraints on profile data, the system cannot distinguish between legitimate users and those using the same profile maliciously or mistakenly, potentially leading to identity confusion or fraud within the platform.
Impact
This could lead to identity theft within the platform, where one user might create misleading or fake profiles to harm or mislead others.
Tools Used
Manual Review
Recommendations
Implement a unique constraint on profile data, possibly by hashing the profile data or using some form of uniqueness check before minting.
Updates
Appeal created
n0kto 5 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
invalid_URI_injection_scam_underaged_bad_name_photo_etc
Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.