DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unrealistic Age Values in SoulboundProfileNFT Metadata

prashikshit

Summary

The SoulboundProfileNFT contract allows users to mint profiles with unrealistic or invalid age values (e.g., age = 0 or age = 200). This undermines the protocol’s credibility and could lead to misuse, as the platform is likely intended for adults. Without validation, attackers can create profiles with absurd ages, eroding user trust and violating potential legal requirements.

Vulnerability Details

Location

  • Contract: SoulboundProfileNFT.sol

  • Function: mintProfile

Root Cause

  • The mintProfile function does not validate the age parameter. Users can input any value within the uint8 range (0–255), including invalid ages like 0 or 255.

  • Example attack: A user mints a profile with age = 5, which is clearly unrealistic for a dating platform.

Code Snippet

function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
// No validation for the `age` parameter
// ...
}

Impact

Severity: Low-Medium

  • Credibility Risk: The protocol may be seen as unserious or unsafe if fake profiles with absurd ages proliferate.

  • Legal Risk: If the platform is intended for adults (18+), allowing underage profiles could violate regulations.

  • User Experience: Genuine users may avoid the platform if they encounter obviously fake profiles.

Recommended Mitigation

Fix: Add Age Validation

Enforce a minimum age requirement (e.g., 18) in the mintProfile function:

function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
require(age >= 18, "Age must be at least 18"); // Add validation
// ... rest of the code ...
}

Additional Recommendations

  1. Upper Bound Check:
    Consider adding a reasonable upper limit (e.g., age <= 120) to prevent unrealistic values:

    require(age <= 120, "Age must be realistic");

  2. Configurable Age Range:
    Store minimum and maximum age values in mutable variables (e.g., controlled by governance) for flexibility.

Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.