The SoulboundProfileNFT::blockProfile
function claims to allow the app owner to block an address. The code in the function only burns the current profile held by the address to be blocked. There is no way to keep track of blocked addresses, or to prevent them from creating new profiles. Additionally, the LikeRegistry::likes
and LikeRegistry::userBalances
mappings use addresses to map the user to their likes and balances. This is not erased on blocking the user and deleting their profile. The blocked user can create a fresh profile and still have access to their information and funds in their old profile.
Owner cannot block addresses using the SoulboundProfileNFT::blockProfile
function.
The testBlockProfileAsOwner
test can be modified as follows to prove that a blocked address can mint a new profile:
Additional tests can be written for the LikeRegistry
contract which demonstrate how the blocked user can recover their old like and balance data on creating a new profile. One such test is shown below:
VSCode, Foundry
The contract can keep track of blocked addresses with an (address => bool) mapping. Then, a new check can be added in SoulboundProfileNFT::mintProfile
to prevent blocked addresses from minting a profile NFT.
Alternatively, while blocking a user, all relevant information regarding their data should be deleted and any balance should be refunded back to the users who liked the blocked address.
Likelihood: Low, any blocked users. Impact: High, not really blocked.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.