User can recreate a profile and keep using balance
Summary
A user can create a new NFT and keep using the LinkRegistry protocol with the same address.
Vulnerability Details
The LikeRegistry contract uses the address as an identifier. If a user's profile NFT is burned either by themselves or the owner, then the user can create a new NFT and keep using the protocol with the same address. The userBalances would keep the previous profile funds.
Impact
A user can test multiple profiles until once is successful.
A user can manipulate other users by creating NFTs with different attributes until it finds one that is attractive and gets more likes
Blocking mechanism doesn't block the user
The burnProfile will burn the user's address NFT, but the user can create a new NFT and continue using the LikeRegistry protocol. It doesn't block the user.
Tools Used
Manual Review
Recommendations
There are a couple of ways that this could be implemented:
The
LikeRegistrycontract could map the balance to anaddressandtokenId.The blocking instead of burning the NFT it could block the user's tokenId in the
LikeRegistry. By doing this, the user is permanently blocked from using the protocol. The contract could also include a method to unblock a user.There is a risk of locking funds forever. The contract could have a mechanism to return funds to the users that liked the blocked user.
Appeal created
finding_blocked_user_can_recreate_a_profil
Likelihood: Low, any blocked users. Impact: High, not really blocked.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.