DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unrestricted Profile Name Input Enables Storage of Malicious or Oversized Content

chucks1093

Summary

The SoulboundProfileNFT contract, the mintProfile function accepts profile names without any length or character validation, allowing users to store arbitrarily long strings or inappropriate content in their profile names.

Vulnerability Details

contract SoulboundProfileNFT is ERC721, Ownable {
function mintProfile(
string memory name, // Unchecked input
uint8 age,
string memory profileImage
) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
uint256 tokenId = ++_nextTokenId;
// Name stored without validation
_profiles[tokenId] = Profile(name, age, profileImage);
}
}

Impact

  • Blockchain bloat from unnecessary data

  • Increased storage costs for platform

  • Excessive gas costs for oversized names

Recommendations

Add a modifier to validate profile names.

contract SoulboundProfileNFT {
modifier validProfileName(string memory name) {
require(bytes(name).length > 0, "Name cannot be empty");
require(bytes(name).length <= MAX_NAME_LENGTH, "Name too long");
require(containsOnlyAllowedChars(name), "Invalid characters");
_;
}
function mintProfile(
string memory name,
uint8 age,
string memory profileImage
) external validProfileName(name) {
// ... rest of function
}
}
Updates

Appeal created

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.