User who Gets Blocked by the Admin the Balances of that user Get Stucked in the Contract Forever if the User has previous balances in the contract.
Summary
It was observed that when the owner is blocking any user the blockuser() function doesn't check if the user has the balances in the contract and directly deleting the user without checking and sending back the balances of that user in the contract which leads to the balances stuck in the contract forever of the user which is getting blocked by the other. Also no body other can like that person due to the profile gets delete in the blockProfile()function by this
Vulnerability Details
The blockProfile()fucntion is deleting the user without checking if that user has outstanding balance in the contract or not and directly deleting the user will make stuck the user balance in the contract forever. And by this the user as well as the owner of the contract cant withdraw the funds from the contract as when the other user are liking this bliocked user due to the delete profileToToken[blockAddress];````delete _profiles[tokenId]; the other userscant like the blocked user and the multisig wallet will not get created and the amount of the blocked user gets stucked forever in the contract.
Impact
Blocked users' balances become unrecoverableTools Used.
Users may lose trust in the platform due to unfair fund losses and blocked interactions.
Recommendations
Add this in the code with reentracy gaurd modifier.
Appeal created
finding_blocking_or_burning_no_refund_balances_or_multisig
Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.