DatingDapp

AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Impact: medium
Likelihood: high
Invalid

SoulboundProfileNFT::mintProfile has no age validation — allows profiles with age 0 or profiles for minors

Root + Impact

Description

  • The mintProfile function accepts a uint8 age parameter with no validation on its value. A user can create a dating profile with age 0, 1, or any value under 18. Since this is a dating application, allowing profiles for minors exposes the protocol to serious regulatory and safety risks. The age is stored on-chain as immutable metadata in the soulbound NFT.

// Root cause in SoulboundProfileNFT.sol, mintProfile (lines 30-41)
function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
// @> No age validation — allows age 0, underage profiles, etc.
uint256 tokenId = ++_nextTokenId;
_safeMint(msg.sender, tokenId);
_profiles[tokenId] = Profile(name, age, profileImage);
// ...
}

Risk

Likelihood:

  • Any user can mint a profile with any age from 0 to 255. No validation prevents this.

Impact:

  • A dating application allowing profiles for minors creates serious legal and ethical implications.

  • Age 0 profiles are nonsensical and pollute the platform.

Proof of Concept

This test mints two profiles — one with age 0 and one with age 15 — both succeed without any validation revert, demonstrating that minors and nonsensical ages are freely accepted by the contract.

function testM01_NoAgeValidation() public {
// Mint a profile with age 0
vm.prank(user);
soulboundNFT.mintProfile("Baby", 0, "ipfs://baby");
assertEq(soulboundNFT.profileToToken(user), 1); // Succeeds!
// Mint a profile for a minor
vm.prank(user2);
soulboundNFT.mintProfile("Teen", 15, "ipfs://teen");
assertEq(soulboundNFT.profileToToken(user2), 2); // Also succeeds!
}

Recommended Mitigation

Add an age validation check requiring users to be at least 18 years old.

function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
+ require(age >= 18, "Must be at least 18 years old");
uint256 tokenId = ++_nextTokenId;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!