Users Can Mint Profiles with Empty Fields
Summary
The mintProfile function does not validate input fields such as name and age. This allows users to mint profiles with empty names ("") or an age of 0, which could lead to incomplete or invalid profile data being stored on-chain.
Vulnerability Details
Deploy the smart contract.
Call
mintProfile("", 0, "someImageURL").The contract successfully mints the profile despite missing critical information.
Impact
The contract allows minting profiles with an empty name and an invalid age.
Tools Used
manual review
Recommendations
Add validation checks before minting
Appeal created
invalid_URI_injection_scam_underaged_bad_name_photo_etc
Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.