Misleading event name in the `SoulboundProifleNFT::blockProfile` function.
Description:
The blockProfile function is designed to allow the contract owner to block a user by burning their profile NFT and removing their metadata. However, it emits the ProfileBurned event, which is also used in the burnProfile function when users voluntarily delete their profiles. This creates ambiguity in the event logs, as external observers cannot distinguish between a profile being voluntarily deleted and one being forcefully blocked by the contract owner.
Impact:
Users may be unaware that their profile was blocked rather than voluntarily removed, potentially leading to confusion and disputes.
Proof of Concept:
The following function emits the incorrect event:
Since the ProfileBurned event is also emitted in the burnProfile function, there is no way to differentiate between user-initiated burns and admin-enforced blocks.
Recommended Mitigation:
Introduce a new event specifically for blocked profiles:
Then now make the following change:
This ensures clarity in the contract's event logs and allows users and external applications to distinguish between different profile removal actions.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.