DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Profile blocking mechanism don't handle user data leading to protocol inconsistency

anchabadze

Description:

The blockProfile function in SoulboundProfileNFT only burns the NFT and clears profile data, but fails to handle associated user data in the LikeRegistry contract. When a user is blocked, their likes, matches, and associated ETH balances remain in the system, creating inconsistency between profile existence and interaction data.

function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
// @audit-issue no cleanup of likes and matches in LikeRegistry
}

Impact:

  • Blocked users' likes remain active in the system

  • ETH from blocked users remains locked in the contract

  • Matched users might still have connections to blocked profiles

  • Creates data inconsistency across contracts

Recommended Mitigation:

  • Implement a cross-contract blocking mechanism

  • Implement balance handling strategy for blocked users

Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_blocking_or_burning_no_refund_balances_or_multisig

Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.