Submission Details
Severity:
Blocked User in `blockProfile:SoulboundProfileNFT.sol` can re-mint another profile NFT
Description: the blockProfile function is intended to prevent blocked users from using profile NFTs.
However, it only removes their current profile, allowing blocked users to mint a new profile NFT without restriction.
Impact: user/address will not actually be blocked.
Proof of Concept:
add the following to testSoulboundProfileNFT.t.sol
function testBlockedUserCanReMint() public {
vm.prank(user);
soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");
assertEq(soulboundNFT.balanceOf(user), 1);
vm.prank(owner);
soulboundNFT.blockProfile(user);
assertEq(soulboundNFT.balanceOf(user), 0);
vm.prank(user);
soulboundNFT.mintProfile("Bob", 30, "ipfs://profileImage");
assertEq(soulboundNFT.balanceOf(user), 1); // user can mint after being blocked
}
Recommended Mitigation:
can use a mapping to store all blocked users.
Updates
Appeal created
n0kto 7 months ago
Submission Judgement Published Assigned finding tags:
finding_blocked_user_can_recreate_a_profil
Likelihood: Low, any blocked users. Impact: High, not really blocked.
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.