DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incomplete User Blocking Mechanism Allows Blocked Users to Remint Profiles

seeu

Summary

The blockProfile function in the SoulboundProfileNFT contract is intended to block a user’s profile. However, its current implementation only removes the user’s existing profile without preventing them from minting a new one. Additionally, the function name suggests that a user should be fully blocked, not just have their profile removed.

Vulnerability Details

The blockProfile function burns the user’s NFT and deletes their profile data but does not record the blocked address. Consequently, the mintProfile function, which only checks if a user already has a profile (profileToToken[msg.sender] == 0), allows previously blocked users to remint new profiles.

Following, the current blockProfile Implementation.

src/SoulboundProfileNFT.sol#L56-L66

function blockProfile(address blockAddress) external onlyOwner {

uint256 tokenId = profileToToken[blockAddress];

require(tokenId != 0, "No profile found");

_burn(tokenId);

delete profileToToken[blockAddress];

delete _profiles[tokenId];

emit ProfileBurned(blockAddress, tokenId);

}

Since profileToToken[msg.sender] is reset to 0, blocked users can simply call mintProfile again and create a new profile.

Impact

The lack of a persistent blocklist means that blocked users can repeatedly mint new profiles. This undermines moderation efforts and compromises platform integrity.

Recommendations

Implement a Blocklist

Introduce a mapping to track blocked addresses and modify blockProfile to update it:

+ mapping(address => bool) public isBlocked;

+ event AddressBlocked(address indexed blockedAddress);

// ...

function blockProfile(address blockAddress) external onlyOwner {

require(!isBlocked[blockAddress], "Address already blocked");

uint256 tokenId = profileToToken[blockAddress];

_burn(tokenId);

delete profileToToken[blockAddress];

delete _profiles[tokenId];

+ isBlocked[blockAddress] = true; // Add to blocklist

+ emit AddressBlocked(blockAddress); // New event

- emit ProfileBurned(blockAddress, tokenId);

}

// ...

Restrict Blocked Users in mintProfile

Modify mintProfile to check the blocklist:

function mintProfile(...) external {

require(profileToToken[msg.sender] == 0, "Profile already exists");

+ require(!isBlocked[msg.sender], "Blocked from minting");

// ...

}

Updates

Appeal created

n0kto Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_blocked_user_can_recreate_a_profil

Likelihood: Low, any blocked users. Impact: High, not really blocked.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.