DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Soulbound Token: `_update` Hook and Approval Functions Not Overridden

pratamaajip01

[MEDIUM] Soulbound Token: `_update` Hook and Approval Functions Not Overridden

File: sources/2025-02-datingdapp/src/SoulboundProfileNFT.sol
Lines: 56–64

Summary

The contract blocks transfers via transferFrom and safeTransferFrom overrides, but does not override _update() (the OZ v5 internal hook all transfers flow through), nor approve() or setApprovalForAll(). Users can still set approvals on non-transferable tokens.

Vulnerability Details

// Overrides exist for public functions

function transferFrom(address, address, uint256) public pure override {

revert SoulboundTokenCannotBeTransferred();

}

// NOT overridden — can still be called:

// approve() → users can approve operators (misleading)

// setApprovalForAll() → users can set blanket approvals

// _update() → internal OZ v5 transfer hook (bypass risk in future)

Impact

Approval state is inconsistent with soulbound intent.
Future OZ library changes routing through _update() could bypass public function overrides.
Users are misled into thinking approvals are meaningful.

Tools Used

Manual review, OZ v5 ERC721 architecture analysis

Recommendations

function _update(address to, uint256 tokenId, address auth)

internal override returns (address) {

address from = _ownerOf(tokenId);

if (from != address(0) && to != address(0)) {

revert SoulboundTokenCannotBeTransferred();

}

return super._update(to, tokenId, auth);

}

function approve(address, uint256) public pure override {

revert SoulboundTokenCannotBeTransferred();

}

function setApprovalForAll(address, bool) public pure override {

revert SoulboundTokenCannotBeTransferred();

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 6 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

DatingDapp

Soulbound Token: `_update` Hook and Approval Functions Not Overridden

[MEDIUM] Soulbound Token: _update Hook and Approval Functions Not Overridden

Summary

Vulnerability Details

Impact

Tools Used

Recommendations

Lead Judging Commences

Rewards breakdown

Live

Judging

Rewards Distribution

FAQs

[MEDIUM] Soulbound Token: `_update` Hook and Approval Functions Not Overridden