DatingDapp
AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

[H-5] Invalid Constructor and Missing Input Validation in LikeRegistry

cybernerd

Root + Impact

Description

  • LikeRegistry should validate constructor inputs and initialize owner state correctly.

  • The constructor currently calls Ownable(msg.sender) (invalid for OpenZeppelin) and fails to check the _profileNFT address for zero-address validity.

constructor(address _profileNFT) Ownable(@>msg.sender) {
profileNFT = SoulboundProfileNFT(_profileNFT);
}

Risk

Likelihood:

  • The contract can be deployed with a zero address for _profileNFT.

  • The invalid Ownable(msg.sender) constructor call is inconsistent with OpenZeppelin conventions.

Impact:

  • Deployment may fail or produce an improperly initialized owner.

  • A zero-address profileNFT breaks likeUser and all profile checks.

Proof of Concept

The vulnerability allows deployment with invalid parameters:

// Deploying LikeRegistry with address(0) will succeed without validation
new LikeRegistry(address(0));
// Subsequent calls to likeUser will fail:
likeReg.likeUser{value: 1 ether}(someUser);
// Reverts: Call to address(0) will always fail or behave unexpectedly

Additionally, the Ownable(msg.sender) constructor call is invalid and will cause compilation errors like the SoulboundProfileNFT contract.

Recommended Mitigation

Remove the invalid Ownable(msg.sender) call and add a zero-address check for the _profileNFT parameter:

- constructor(address _profileNFT) Ownable(msg.sender) {
+ constructor(address _profileNFT) {
+ require(_profileNFT != address(0), "Invalid profile NFT address");
profileNFT = SoulboundProfileNFT(_profileNFT);
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 7 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!