blockProfile() deletes profileToToken mapping without blacklisting the address, allowing blocked users to immediately re-mint a new profile
Root + Impact
Description
-
mintProfile() enforces uniqueness by checking
profileToToken[msg.sender] == 0. When that slot is zero the caller is treated as a new user and minting proceeds. -
blockProfile() removes the blocked user's token via
_burnand then callsdelete profileToToken[blockAddress], which resets the mapping value to0. After the call returns, the blocked address satisfies the== 0guard again and can call mintProfile() immediately with a fresh identity — the permanent block is entirely defeated.
Risk
Likelihood:
-
Every blocked user can trivially re-mint — the bypass requires only calling mintProfile() again, no special knowledge or tooling.
-
There is no time delay, fee, or governance step that would slow re-registration; the bypass is instantaneous.
Impact:
-
The moderation/blocking system provides no real protection — bad actors, scammers, and harassing users can immediately resume operating on the platform under a fresh profile.
-
Owner trust in the block mechanism is false; repeated admin intervention achieves nothing.
Proof of Concept
Owner blocks a user. The user calls mintProfile() again in the same transaction block and the call succeeds, demonstrating the block had no effect.
The second mintProfile() call passes without reverting, proving the block is ineffective.
Recommended Mitigation
Track blocked addresses in a dedicated boolean mapping that is checked in mintProfile() and never cleared.
Lead Judging Commences
[M-01] `SoulboundProfileNFT::blockProfile` make it possible to recreate the profile
## Description The `SoulboundProfileNFT::blockProfile` function uses `delete profileToToken[blockAddress]`, which resets `profileToToken[blockAddress]` to `0`. Since the mintProfile function checks for an existing profile by verifying that `profileToToken[msg.sender] == 0`, a blocked account can be recreated by simply minting a new profile. This behavior bypasses the intended permanent block functionality. ## Vulnerability Details By deleting the mapping entry for a blocked account, the contract inadvertently allows a new mintProfile call to pass the check `require(profileToToken[msg.sender] == 0, "Profile already exists")`. Essentially, once an account is blocked, its associated mapping entry is cleared, so the condition to identify an account with an existing profile is no longer met. This loophole enables a blocked account to recreate its profile, undermining the purpose of blocking. ## Impact A blocked account, which should be permanently barred from engaging with the platform, can circumvent this restriction by re-minting its profile. The integrity of the platform is compromised, as blocked users could regain access and potentially perform further malicious actions. ## POC ```solidity function testRecereationOfBlockedAccount() public { // Alice mints a profile successfully vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); // Owner blocks Alice's account, which deletes Alice profile mapping vm.prank(owner); soulboundNFT.blockProfile(user); // The blocked user (Alice) attempts to mint a new profile. // Due to the reset mapping value (0), the require check is bypassed. vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); } ``` ## Recommendations - When blocking an account, implement a mechanism to permanently mark that address as blocked rather than simply deleting an entry. For example, maintain a separate mapping (e.g., isBlocked) to record blocked accounts, and update mintProfile to check if an account is permanently barred from minting: Example modification: ```diff + mapping(address => bool) public isBlocked; ... function mintProfile(string memory name, uint8 age, string memory profileImage) external { + require(!isBlocked[msg.sender], "Account is permanently blocked"); require(profileToToken[msg.sender] == 0, "Profile already exists"); uint256 tokenId = ++_nextTokenId; _safeMint(msg.sender, tokenId); // Store metadata on-chain _profiles[tokenId] = Profile(name, age, profileImage); profileToToken[msg.sender] = tokenId; emit ProfileMinted(msg.sender, tokenId, name, age, profileImage); } ... function blockProfile(address blockAddress) external onlyOwner { uint256 tokenId = profileToToken[blockAddress]; require(tokenId != 0, "No profile found"); _burn(tokenId); delete profileToToken[blockAddress]; delete _profiles[tokenId]; + isBlocked[blockAddress] = true; emit ProfileBurned(blockAddress, tokenId); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.