DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

There is no age restriction on profile sign-ups. Under-age users can create profiles.

yeahchibyke

Summary

There is no age restriction on profile sign-ups, so users of any age -especially under-age users- can create profiles.

Vulnerability Details

As is customary with all dating platforms, there is an age restriction put in place so that under-age profiles are not created.

SoulboundProfileNFT::mintProfile() however does not have such restrictions. Users have to specify their age when sign-ing up, but beacuse there are no such restrictions, any age number can be used to sign up.

Impact

While this flaw does not affect the protocol from a security point of view, its impact stretches far into the real life.

Government regulation bodies will ban this protocol. Child rights organizations will hit this protocol with all sorts of lawsuits.

I would not want to be on the legal team of this protocol. I would go bald.

Tools Used

  • Manual Review

  • Foundry

PoC

Add the following test to the test contract:

function testCanMintUnderAgeProfiles() public {
address kid = makeAddr("under-age");
address embryo = makeAddr("zero-age");
vm.prank(kid);
soulboundNFT.mintProfile("Kid", 4, "ipfs://baby_diaper_image");
vm.prank(embryo);
soulboundNFT.mintProfile("Zero", 0, "ipfs://does_not_exist_image");
uint256 kidTokenId = soulboundNFT.profileToToken(kid);
uint256 embryoTokenId = soulboundNFT.profileToToken(embryo);
assert(kidTokenId == 1);
assert(embryoTokenId == 2);
}

Recommendations

Add a check in the ::mintProfile() function that ensures that profiles with ages lower than 18 have their sign-ups reverted.

/// @notice Mint a soulbound NFT representing the user's profile.
function mintProfile(string memory name, uint8 age, string memory profileImage) external {
+ require(age >= 18, "Under age users not allowed!!!");
...
...
}
Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

yeahchibyke Submitter
5 months ago
n0kto Lead Judge
5 months ago
yeahchibyke Submitter
5 months ago
n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_URI_injection_scam_underaged_bad_name_photo_etc

Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.