blockProfile can be bypassed — blocked users re-mint profiles via delete
Title: blockProfile can be bypassed — blocked users re-mint profiles via delete
Severity: Medium
Impact: Blocked users circumvent permanent ban by simply minting a new profile NFT.
Likelihood: High — single transaction, no special requirements, bypasses the block intent.
Reference Files: src/SoulboundProfileNFT.sol:57-66
Description
blockProfile deletes profileToToken[blockAddress], setting it to 0. Since mintProfile checks profileToToken[msg.sender] == 0 to enforce one-profile-per-address, a blocked user can immediately re-mint a new profile — completely bypassing the block. The vulnerable code:
The delete operation makes the blocked address indistinguishable from a brand-new user. No permanent block state is maintained.
Risk
Impact: Medium. Blocked users immediately regain full platform access by re-minting. Malicious actors can continue liking, matching, and participating after supposed permanent bans.
Likelihood: High. The bypass requires only calling mintProfile after being blocked — one transaction, no special setup.
A user blocked for harassment re-mints their profile in the same block and resumes liking other users with zero friction.
Proof of Concept
Blocked user re-mints a profile in a single transaction — the block is completely ineffective.
Recommended Mitigation
A dedicated isBlocked mapping permanently marks blocked addresses, preventing re-minting regardless of profileToToken being cleared.
Lead Judging Commences
[M-01] `SoulboundProfileNFT::blockProfile` make it possible to recreate the profile
## Description The `SoulboundProfileNFT::blockProfile` function uses `delete profileToToken[blockAddress]`, which resets `profileToToken[blockAddress]` to `0`. Since the mintProfile function checks for an existing profile by verifying that `profileToToken[msg.sender] == 0`, a blocked account can be recreated by simply minting a new profile. This behavior bypasses the intended permanent block functionality. ## Vulnerability Details By deleting the mapping entry for a blocked account, the contract inadvertently allows a new mintProfile call to pass the check `require(profileToToken[msg.sender] == 0, "Profile already exists")`. Essentially, once an account is blocked, its associated mapping entry is cleared, so the condition to identify an account with an existing profile is no longer met. This loophole enables a blocked account to recreate its profile, undermining the purpose of blocking. ## Impact A blocked account, which should be permanently barred from engaging with the platform, can circumvent this restriction by re-minting its profile. The integrity of the platform is compromised, as blocked users could regain access and potentially perform further malicious actions. ## POC ```solidity function testRecereationOfBlockedAccount() public { // Alice mints a profile successfully vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); // Owner blocks Alice's account, which deletes Alice profile mapping vm.prank(owner); soulboundNFT.blockProfile(user); // The blocked user (Alice) attempts to mint a new profile. // Due to the reset mapping value (0), the require check is bypassed. vm.prank(user); soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice"); } ``` ## Recommendations - When blocking an account, implement a mechanism to permanently mark that address as blocked rather than simply deleting an entry. For example, maintain a separate mapping (e.g., isBlocked) to record blocked accounts, and update mintProfile to check if an account is permanently barred from minting: Example modification: ```diff + mapping(address => bool) public isBlocked; ... function mintProfile(string memory name, uint8 age, string memory profileImage) external { + require(!isBlocked[msg.sender], "Account is permanently blocked"); require(profileToToken[msg.sender] == 0, "Profile already exists"); uint256 tokenId = ++_nextTokenId; _safeMint(msg.sender, tokenId); // Store metadata on-chain _profiles[tokenId] = Profile(name, age, profileImage); profileToToken[msg.sender] = tokenId; emit ProfileMinted(msg.sender, tokenId, name, age, profileImage); } ... function blockProfile(address blockAddress) external onlyOwner { uint256 tokenId = profileToToken[blockAddress]; require(tokenId != 0, "No profile found"); _burn(tokenId); delete profileToToken[blockAddress]; delete _profiles[tokenId]; + isBlocked[blockAddress] = true; emit ProfileBurned(blockAddress, tokenId); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.