Submission Details
Severity:
Blocked User Can Re-register with Same Data and Address
Summary
The `blockProfile` function only burns the NFT associated with the user's address but does not prevent the user from minting a new profile with the same data or even the same address. This means a blocked user can bypass the block by simply re-minting their profile.
Vulnerability Details
### Proof of Concept (PoC):
Below is a test case demonstrating how a blocked user can currently re-register, exploiting the lack of a blocking mechanism:
```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import "forge-std/Test.sol";
import "../src/SoulboundProfileNFT.sol";
contract SoulboundProfileNFTExploitTest is Test {
SoulboundProfileNFT soulboundNFT;
address owner = address(this);
address user = address(0x123);
function setUp() public {
soulboundNFT = new SoulboundProfileNFT();
}
function testBlockedUserCanReregister() public {
// Mint a profile for the user
vm.prank(user);
soulboundNFT.mintProfile("TestUser", 25, "ipfs://test");
// Block the user
soulboundNFT.blockProfile(user);
// Verify the profile is burned
assertEq(soulboundNFT.profileToToken(user), 0, "Profile should be burned");
// Attempt to re-register with the same data
vm.prank(user);
soulboundNFT.mintProfile("TestUser", 25, "ipfs://test");
// Check if the user can re-register (which should fail in a secure system)
assertEq(soulboundNFT.profileToToken(user) != 0, true, "Blocked user should not be able to re-register");
}
}
```
PoC Explanation:
The test mints a profile for a user, then blocks them using blockProfile.
After blocking, it verifies that the profile is indeed burned.
However, the user can then re-mint a profile with the same data, demonstrating the vulnerability.
In a secure system, the second minting should fail due to the user being blocked, which is not the case here.
Impact
Allows banned or problematic users to return to the platform, potentially continuing harmful or unwanted behavior.
Undermines the effectiveness of any moderation or user-blocking mechanisms in place.
Could lead to a negative user experience for others if the same malicious actors or spammers return repeatedly.
Tools Used
Manual review and Foundry
Recommendations
Implement a permanent or temporary blacklist of addresses that are blocked:
Add a `mapping(address => bool)` named `blockedAddresses` where setting an address to true indicates it's blocked.
Before minting in the mintProfile function, check if `blockedAddresses[msg.sender]` is `false`. If it's `true`, revert with an appropriate message.
Here's how you might modify the contracts:
```solidity
mapping(address => bool) public blockedAddresses;
function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
blockedAddresses[blockAddress] = true; // Block the address
emit ProfileBurned(blockAddress, tokenId);
}
function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
require(!blockedAddresses[msg.sender], "You are blocked from creating a new profile");
// ... rest of the minting logic
}
```
Consider adding an event for when an address is blocked to allow for off-chain monitoring and notification.
Updates
Appeal created
n0kto 6 months ago
Submission Judgement Published Assigned finding tags:
finding_blocked_user_can_recreate_a_profil
Likelihood: Low, any blocked users. Impact: High, not really blocked.
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.