Submission Details
Impact:
Likelihood:
Missing Input Validation on Constructor Parameter
Root + Impact
Description
-
Describe the normal behavior in one or more sentences
-
-
Explain the specific issue or problem in one or more sentences
-
The constructor accepts _profileNFT address without validation. If set to address(0) or an invalid contract, all likeUser() calls will revert, rendering the contract permanently unusable since profileNFT is immutable after deployment.the relevant section
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
Medium
-
Reason 2
Impact:
-
Impact 1
-
Contract becomes non-functional
-
Impact 2
Proof of Concept
constructor(address _profileNFT) Ownable(msg.sender) {
profileNFT = SoulboundProfileNFT(_profileNFT); // No validation
}
Recommended Mitigation
- remove this code
+ add this code
constructor(address _profileNFT) Ownable(msg.sender) {
require(_profileNFT != address(0), "Invalid profile NFT address");
// Verify it's a contract
require(_profileNFT.code.length > 0, "Address is not a contract");
profileNFT = SoulboundProfileNFT(_profileNFT);
// Optional: Verify interface support
try profileNFT.profileToToken(address(this)) returns (uint256) {
// Interface check passed
} catch {
revert("Invalid SoulboundProfileNFT contract");
}
}
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.