[H-1] The mintProfile function in SoulboundProfileNFT is vulnerable to a reentrancy attack, allowing an attacker to mint multiple NFTs illegitimately
Summary
In function SoulboundProfileNFT::mintProfile there is an external call to mint the nft and once user successfully mints an NFT the update to mappings happens -this line in the code- _safeMint(msg.sender, tokenId); .The attacker's contract (MaliciousContract) executes onERC721Received(), which calls mintProfile() again before state is updated.The attacker repeats minting multiple NFTs before the original function finishes.
Vulnerability Details
Below is the code, if you analyse update profileToToken[msg.sender] = tokenId; should happen before the profile mints _safeMint(msg.sender, tokenId); an NFT
Impact
Multiple NFTs can be minted by a single profile which voilates the promise of one NFT mint per profile.
Tools Used
Recommendations
Following CEI Pattern (Check-Effects-Interactions) would be able to restrict the attack.
In function SoulboundProfileNFT::mintProfile,making changes as mentioned below:
Appeal created
finding_mintProfile_reentrancy
Likelihood: High, anyone can do it. Impact: Low, several profile will be minted, which is not allowed by the protocol, but only the last one will be stored in profileToToken and won't affect `likeUser` or `matchRewards`.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.