DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

SoulboundProfileNFT: Inability to Update Profile Attributes (e.g., Age)

jayp

Summary

One of the stored attributes in the profile is the user’s age, which can become outdated as time passes. Since there is no update function, users are forced to burn and re-mint their profile to correct their age—this approach contradicts the soulbound principle and disrupts the continuity of a user’s on-chain identity.

Vulnerability Details

Static Age Field
- The user’s age is permanently set at the time of minting. After a year, the stored age in the NFT no longer reflects the user’s current age.
- There is no contract method to update the age field.
Forced Burn and Re-Mint
- To correct an outdated profile attribute, the only option is to burn the existing NFT (burnProfile) and create a new one (mintProfile).
- Re-minting a new NFT erases the historical record tied to the previous token ID, undermining the “soulbound” concept of a continuous, immutable identity.

Impact

Loss of Accuracy: Over time, age becomes inaccurate, and the profile’s integrity diminishes.
Disrupted User Experience: Burning and re-minting is cumbersome, forcing users to lose any on-chain history or recognition tied to their existing profile.
Weakens Soulbound Principles: The repeated minting of new tokens for trivial updates (like a yearly age change) contrasts with the idea of a persistent, non‐transferable identity.

Tools Used

Manual Code Inspection: Verified that _profiles[tokenId] is set once during mint and never updated.
High-Level Review: Observed the logical impact on the application’s user experience and “soulbound” ethos.

Recommendations

Implement an updateProfile Function
- Allow users to modify mutable attributes such as age or profileImage in place, without discarding their entire profile NFT.
- For example:
  function updateProfile(string calldata newName, uint8 newAge, string calldata newProfileImage) external {
  uint256 tokenId = profileToToken[msg.sender];
  require(tokenId != 0, "No existing profile");
  _profiles[tokenId] = Profile(newName, newAge, newProfileImage);
  }
Emit Update Events
- Emit a ProfileUpdated event whenever a user’s profile changes. This preserves an on-chain history of profile evolution.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.