DatingDapp

First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: medium
Valid

App owner can have users' funds locked by blocking them

Summary

App owner can block users at will, causing users to have their funds locked.

Vulnerability Details

SoulboundProfileNFT::blockProfile can block any app's user at will.

/// @notice App owner can block users
function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
emit ProfileBurned(blockAddress, tokenId);
}

Proof of Concept

The following code demonstrates the scenario where the app owner blocks bob and he is no longer able to call LikeRegistry::likeUser. Since the contract gives no posibility of fund withdrawal, bob's funds are now locked.

Place test_blockProfileAbuseCanCauseFundLoss in testSoulboundProfileNFT.t.sol:

function test_blockProfileAbuseCanCauseFundLoss() public {
vm.deal(bob, 10 ether);
vm.deal(alice, 10 ether);
// mint a profile NFT for bob
vm.prank(bob);
soulboundNFT.mintProfile("Bob", 25, "ipfs://profileImage");
// mint a profile NFT for Alice
vm.prank(alice);
soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");
// alice <3 bob
vm.prank(alice);
likeRegistry.likeUser{value: 1 ether}(bob);
vm.startPrank(owner);
soulboundNFT.blockProfile(bob);
assertEq(soulboundNFT.profileToToken(msg.sender), 0);
vm.startPrank(bob);
vm.expectRevert("Must have a profile NFT");
// bob is no longer able to like a user, as his profile NFT is deleted
// his funds are effectively locked
likeRegistry.likeUser{value: 1 ether}(alice);
}

And run the test:

$ forge test --mt test_blockProfileAbuseCanCauseFundLoss
Ran 1 test for test/testSoulboundProfileNFT.t.sol:SoulboundProfileNFTTest
[PASS] test_blockProfileAbuseCanCauseFundLoss() (gas: 326392)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.42ms (219.63µs CPU time)
Ran 1 test suite in 140.90ms (1.42ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

App users can have their funds locked, as well as miss out on potential dates.

Tools used

Manual review, tests

Recommendations

Add a voting mechanism to prevent abuse and/or centralization of the feature.

Updates

Appeal created

n0kto Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_blocking_or_burning_no_refund_balances_or_multisig

Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.