Blocked Accounts Can Create New Profile With The Same Address
Summary
Blocked accounts can create new profile with the same address
Vulnerability Details
The blockProfile function removes a user's existing profile NFT but doesn't prevent them from creating new profiles using the same wallet address. This limitation allows blocked users to bypass restrictions by simply minting a new profile, undermining the platform's moderation efforts.
Impact
Repeated Abuse: Malicious actors can recreate profiles after being blocked
Moderation Futility: Blocking becomes ineffective against determined users
Trust Erosion: Legitimate users lose faith in platform safety
Tools Used
Manual Code Review
Recommendations
Add Address Blocking:
mapping(address => bool) public blockedAddresses;function blockProfile(address blockAddress) external onlyOwner {// ... existing code ...blockedAddresses[blockAddress] = true;}function mintProfile(...) external {require(!blockedAddresses[msg.sender], "Blocked");// ... existing code ...}
Appeal created
finding_blocked_user_can_recreate_a_profil
Likelihood: Low, any blocked users. Impact: High, not really blocked.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.