DatingDapp

First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: low
Invalid

CEI pattern is not being followed in `SoulboundProfileNFT::_burn` function

Summary

Although the function is only called by the owner, the function has a potential issue of reentering.

Description

The burnProfile function does not follow the Checks-Effects-Interactions (CEI) pattern properly. The _burn(tokenId) call, which may involve external interactions (depending on how the base ERC721 implementation is structured), occurs before state variables are updated. This could leave the contract in an inconsistent state if a reentrant call is made during execution.

Recommendation

Rearrange the function logic so that all state changes occur before the external _burn call. The following corrected implementation ensures compliance with CEI:

function burnProfile() external {
uint256 tokenId = profileToToken[msg.sender];
require(tokenId != 0, "No profile found");
require(ownerOf(tokenId) == msg.sender, "Not profile owner");
+ delete profileToToken[msg.sender];
+ delete _profiles[tokenId];
_burn(tokenId);
- delete profileToToken[msg.sender];
- delete _profiles[tokenId];
emit ProfileBurned(msg.sender, tokenId);
}
Updates

Appeal created

n0kto Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.