DatingDapp
AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Blocked Users Can Immediately Re-Mint Profiles

diegotrigueros

Root + Impact

Description

After blockProfile() deletes profileToToken[user] and burns the NFT,
nothing prevents the blocked address from calling mintProfile() again.
The only check is profileToToken[msg.sender] == 0, which is true after
blocking.

// src/SoulboundProfileNFT.sol:30-41
function mintProfile(string memory name, uint8 age, string memory profileImage) external {
require(profileToToken[msg.sender] == 0, "Profile already exists");
// @> No check for blocked status — blocked user can re-mint immediately
uint256 tokenId = ++_nextTokenId;
_safeMint(msg.sender, tokenId);
// ...
}

Risk

Likelihood: High

  • Any blocked user can call mintProfile() in the very next block

  • No cooldown, no blocklist, no governance delay

Impact: Medium

  • blockProfile() is effectively useless as a moderation tool

  • Malicious/abusive users can return instantly

  • Combined with F-03, blocked users retain their previous like state

Proof of Concept

This test proves that immediately after the owner blocks a user, the same
address can call mintProfile() again in the very next transaction and
obtain a new valid profile — rendering the block ineffective.

function testBlockedUserReMints() public {
vm.prank(user);
soulboundNFT.mintProfile("Scammer", 30, "ipfs://scam");
// Owner blocks the user
soulboundNFT.blockProfile(user);
assertEq(soulboundNFT.profileToToken(user), 0);
// Blocked user immediately re-mints
vm.prank(user);
soulboundNFT.mintProfile("TotallyNotScammer", 30, "ipfs://legit");
assertTrue(soulboundNFT.profileToToken(user) != 0); // Success!
}

Recommended Mitigation

Add a persistent blockedAddresses mapping that is set during
blockProfile() and checked in mintProfile(), ensuring blocked
users can never create a new profile from the same address.

+ mapping(address => bool) public blockedAddresses;
function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
+ blockedAddresses[blockAddress] = true;
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
emit ProfileBurned(blockAddress, tokenId);
}
function mintProfile(string memory name, uint8 age, string memory profileImage) external {
+ require(!blockedAddresses[msg.sender], "Address is blocked");
require(profileToToken[msg.sender] == 0, "Profile already exists");
// ...
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[M-01] `SoulboundProfileNFT::blockProfile` make it possible to recreate the profile

## Description The `SoulboundProfileNFT::blockProfile` function uses `delete profileToToken[blockAddress]`, which resets `profileToToken[blockAddress]` to `0`. Since the mintProfile function checks for an existing profile by verifying that `profileToToken[msg.sender] == 0`, a blocked account can be recreated by simply minting a new profile. This behavior bypasses the intended permanent block functionality. ## Vulnerability Details By deleting the mapping entry for a blocked account, the contract inadvertently allows a new mintProfile call to pass the check `require(profileToToken[msg.sender] == 0, "Profile already exists")`. Essentially, once an account is blocked, its associated mapping entry is cleared, so the condition to identify an account with an existing profile is no longer met. This loophole enables a blocked account to recreate its profile, undermining the purpose of blocking. ## Impact A blocked account, which should be permanently barred from engaging with the platform, can circumvent this restriction by re-minting its profile. The integrity of the platform is compromised, as blocked users could regain access and potentially perform further malicious actions. ## POC ```solidity function testRecereationOfBlockedAccount() public { // Alice mints a profile successfully vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); // Owner blocks Alice's account, which deletes Alice profile mapping vm.prank(owner); soulboundNFT.blockProfile(user); // The blocked user (Alice) attempts to mint a new profile. // Due to the reset mapping value (0), the require check is bypassed. vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); } ``` ## Recommendations - When blocking an account, implement a mechanism to permanently mark that address as blocked rather than simply deleting an entry. For example, maintain a separate mapping (e.g., isBlocked) to record blocked accounts, and update mintProfile to check if an account is permanently barred from minting: Example modification: ```diff + mapping(address => bool) public isBlocked; ... function mintProfile(string memory name, uint8 age, string memory profileImage) external { + require(!isBlocked[msg.sender], "Account is permanently blocked"); require(profileToToken[msg.sender] == 0, "Profile already exists"); uint256 tokenId = ++_nextTokenId; _safeMint(msg.sender, tokenId); // Store metadata on-chain _profiles[tokenId] = Profile(name, age, profileImage); profileToToken[msg.sender] = tokenId; emit ProfileMinted(msg.sender, tokenId, name, age, profileImage); } ... function blockProfile(address blockAddress) external onlyOwner { uint256 tokenId = profileToToken[blockAddress]; require(tokenId != 0, "No profile found"); _burn(tokenId); delete profileToToken[blockAddress]; delete _profiles[tokenId]; + isBlocked[blockAddress] = true; emit ProfileBurned(blockAddress, tokenId); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!