Reentrancy Risk in `mintProfile` Due to Improper State Update Order
Summary
In src/SoulboundProfileNFT.sol, the mintProfile function first checks the validity, then mints the NFT, which may trigger an external call via the onERC721Received function, and finally updates the contract's internal state. This violates the Checks-Effects-Interactions (CEI) principle, potentially introducing a reentrancy risk.
Vulnerability Details
The function implementation is as follows:
In this function, _safeMint(msg.sender, tokenId) is executed before updating _profiles[tokenId] and profileToToken[msg.sender]. Since _safeMint can trigger onERC721Received, which allows external contracts to execute arbitrary logic, an attacker could exploit this reentrancy window to manipulate contract state in an unintended way.
Impact
Potential reentrancy attack, leading to unauthorized multiple profile minting
Inconsistent contract state if execution is reverted unexpectedly during the external call
Tools Used
Manual code review
Recommendations
Reorder the function logic to follow the CEI principle:
Update the contract's internal state before performing any external interactions
Call
_safeMintonly after modifying_profiles[tokenId]andprofileToToken[msg.sender]
The corrected implementation should be:
This modification ensures that any external contract interaction occurs only after the contract's internal state is securely updated, reducing the risk of reentrancy attacks.
Appeal created
finding_mintProfile_reentrancy
Likelihood: High, anyone can do it. Impact: Low, several profile will be minted, which is not allowed by the protocol, but only the last one will be stored in profileToToken and won't affect `likeUser` or `matchRewards`.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.