DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Addresses who have been blocked by blockProfile() can re-mint a now profile

preslavpetkov93

Summary

scope: src/SoulboundProfileNFT.sol

The blockProfile function does not prevent a blocked address from minting a new profile NFT after being blocked. Blocked users can re-mint a profile NFT, bypassing the intended restriction.

Vulnerability Details

Affected Functions:

blockProfile(): Burns the NFT and deletes profile data but does not record the blocked status.
mintProfile() (assumed): Likely lacks a check for blocklisted addresses.

Root Cause:

Burning the NFT and deleting profileToToken removes the user’s profile data but does not store their blocked status.
When the blocked user attempts to mint again, the contract cannot distinguish them from a new user, allowing unrestricted re-minting.

Impact

Loss of Accountability: Blocked users can re-enter the system, undermining the purpose of blocking.
System Abuse: Malicious actors can repeatedly create new profiles after being blocked.

Tools Used

Manual code review (no specific tools required).

Recommendations

1.Add a Blocklist Mapping:

mapping(address => bool) public isBlocklisted;

2.Update blockProfile():

function blockProfile(address blockAddress) external onlyOwner {

uint256 tokenId = profileToToken[blockAddress];

require(tokenId != 0, "No profile found");

_burn(tokenId);

delete profileToToken[blockAddress];

delete _profiles[tokenId];

// Add to blocklist

isBlocklisted[blockAddress] = true;

emit ProfileBurned(blockAddress, tokenId);

}

3.Modify the Mint Function:
Add a check in the profile minting function:

function mintProfile() external {

require(!isBlocklisted[msg.sender], "Address is blocklisted");

require(profileToToken[msg.sender] == 0, "Already has a profile");

// ... rest of minting logic

}

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_blocked_user_can_recreate_a_profil

Likelihood: Low, any blocked users. Impact: High, not really blocked.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.