Submission Details
Impact:
Likelihood:
Burning a Soulbound Profile Does Not Clean Up likes or matches in LikeRegistry – Stale State Enables Re-Minting Exploits
Root + Impact
Description
-
Describe the normal behavior in one or more sentences
-
Explain the specific issue or problem in one or more sentences
# Burning a Soulbound Profile Does Not Clean Up likes or matches in LikeRegistry – Stale State Enables Re-Minting Exploits
## Summary
`SoulboundProfileNFT.burnProfile()` deletes the `profileToToken` mapping entry, allowing the user to mint a fresh profile. However, `LikeRegistry` is never notified of the burn. The `likes` and `matches` mappings retain the user's old address. If the user re-mints a profile under the same address, their old likes and matches are still active. This breaks the protocol's intended one-profile-per-address invariant.
## Vulnerability Details
**Impact:** Medium
**Likelihood:** High
A user can burn and re-mint profiles to manipulate their match history, escape from unwanted likes, or re-trigger matches with accumulated state.
### Proof of Concept
The test below confirms that after a user burns their profile, their relationship history remains active in `LikeRegistry`. When the user creates a brand new profile using the exact same address, the old likes automatically map to the new profile, confirming that stale state persists across profile lifecycles.
```solidity
function test_BurnProfileLeavesStaleState() public {
vm.prank(alice);
profileNFT.mintProfile("Alice", 25, "imageHash");
vm.prank(bob);
profileNFT.mintProfile("Bob", 28, "imageHash");
// Alice likes Bob
vm.prank(alice);
likeRegistry.likeUser{value: 1 ether}(bob);
// Alice burns her profile
vm.prank(alice);
profileNFT.burnProfile();
// Alice's like on Bob is still recorded
assertTrue(likeRegistry.likes(alice, bob));
// Alice re-mints — her old like is still there
vm.prank(alice);
profileNFT.mintProfile("AliceNew", 26, "imageHash2");
assertTrue(likeRegistry.likes(alice, bob)); // Stale state persists
}
```
## Tools Used
Manual Review, Foundry
## Recommendations
Add a callback from `burnProfile` to `LikeRegistry` that clears the user's likes and matches, or prevent re-minting after a burn.
```solidity
function burnProfile() external {
// ... existing burn logic ...
likeRegistry.cleanupState(msg.sender); // Clear stale likes and matches
}
```
// Root cause in the codebase with @> marks to highlight the relevant section
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
Reason 2
Impact:
-
Impact 1
-
Impact 2
Proof of Concept
Recommended Mitigation
- remove this code
+ add this code
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.