Profile Token ID Conflict Due to Default Zero Value
Summary
In the mintProfile function, the profileToToken mapping defaults to 0 for unregistered users. If _nextTokenId starts at 0, the first minted profile will have a token ID of 0. This causes a conflict where the check profileToToken[msg.sender] == 0 incorrectly assumes that the user has not minted a profile, even if they have.
Vulnerability Details
Steps to Reproduce:
Deploy the smart contract with
_nextTokenIduninitialized (defaults to0).A user calls
mintProfile()for the first time.The contract assigns token ID
0to the user and updatesprofileToToken[msg.sender] = 0.If the user tries to mint another profile, the
require(profileToToken[msg.sender] == 0, "Profile already exists");check does not prevent them from doing so becauseprofileToToken[msg.sender] == 0is still true.
Impact
The user is able to mint multiple profiles because the check against profileToToken[msg.sender] == 0 is unreliable when 0 is a valid token ID.
Tools Used
manual review
Recommendations
Initialize _nextTokenId to 1 instead of 0, ensuring that no valid token ID is ever 0
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.