DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Risk of Owner Self-Blocking in blockProfile Function

rhaosec

Summary

During the review of the blockProfile function in the SoulboundProfileNFT contract, it was observed that the contract owner could inadvertently pass their own address as the blockAddress parameter. This would result in the unintended removal of their own profile NFT, potentially locking them out of profile-related functionalities.

Vulnerability Details

No check for if the msg.sender passes its own address mistakenly.

function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
emit ProfileBurned(blockAddress, tokenId);
}

Impact

  1. Since there is no check preventing the contract owner from passing their own address, they could mistakenly delete their own profile.

  2. If the owner accidentally burns their profile NFT, they may lose access to profile-based functionalities.

Tools Used

Manual Review

Recommendations

Add this check to the blockProfile function:

require(blockAddress != msg.sender, "Owner cannot block themselves");
Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Admin is trusted

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.