Centralization Risk Leading to Loss of User Fund's via Arbitrary Profile Blocking
Summary
The SoulboundProfileNFT contract allows the contract owner to block any user's profile, burning their NFT. However, blocking a user does not refund their ETH locked in the LikeRegistry, leading to potential loss of user funds.
Vulnerability Details
When a user's profile is blocked via blockProfile, their NFT is burned, but any ETH they sent via likeUser remains in userBalances. Since userBalances are only cleared upon a match, blocked users lose access to their locked ETH, which becomes irretrievable.
POC
User A mints a profile and sends 1 ETH to like User B.
Owner blocks User A's profile, burning their NFT.
User A's
userBalancesstill hold 1 ETH but cannot trigger a match or withdraw.The 1 ETH is permanently stuck in the contract.
Impact
Malicious or compromised owners can arbitrarily block users, causing irreversible loss of ETH used for likes. This undermines trust in the platform's fund security.
Tools Used
Manual code review, Slither static analysis.
Recommendations
-
Remove the
blockProfilefunction entirely and implement a decentralized governance system for profile moderation -
Add a fund recovery mechanism that allows users to withdraw their locked ETH if their profile is blocked
-
Implement a timelock on profile blocking to allow users to withdraw funds
-
Add a dispute resolution mechanism for blocked profiles
Appeal created
finding_blocking_or_burning_no_refund_balances_or_multisig
Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.