blockProfile lets the owner unilaterally burn any user's soulbound profile NFT, a centralization/censorship power over user assets
Owner can unilaterally burn any user's soulbound profile via blockProfile
Description
SoulboundProfileNFT.blockProfile (lines 57-66) is onlyOwner and burns ANY user's profile NFT and deletes their profileToToken entry, with no reporting flow, appeal, or check. A single trusted key can destroy any user's on-chain identity/asset and lock them out of the protocol.
Risk
Likelihood: Low. Requires the privileged owner key to act (maliciously or through key compromise), so it is gated behind trust rather than reachable by arbitrary users.
Impact: High. The owner can censor or destroy any user at will. Once a profile is burned, profileToToken[user] is 0, so the user can no longer participate: likeUser requires profileNFT.profileToToken(msg.sender) != 0 (LikeRegistry line 35) and that the liked user also has a profile (line 36). The targeted user is fully removed from the dating app and loses the soulbound asset that represented their identity, with no recourse. A compromised owner key escalates this to mass destruction of user assets.
Proof of Concept
Owner burns a victim's profile; victim can no longer like anyone.
Recommended Mitigation
Gate blocking behind a reporting/governance process (e.g. timelock, multisig, or an off-chain-attested moderation contract) rather than a single owner, or explicitly document and minimize the trust assumption.
Lead Judging Commences
[M-03] App owner can have users' funds locked by blocking them
## Description App owner can block users at will, causing users to have their funds locked. ## Vulnerability Details `SoulboundProfileNFT::blockProfile` can block any app's user at will. ```js /// @notice App owner can block users function blockProfile(address blockAddress) external onlyOwner { uint256 tokenId = profileToToken[blockAddress]; require(tokenId != 0, "No profile found"); _burn(tokenId); delete profileToToken[blockAddress]; delete _profiles[tokenId]; emit ProfileBurned(blockAddress, tokenId); } ``` ## Proof of Concept The following code demonstrates the scenario where the app owner blocks `bob` and he is no longer able to call `LikeRegistry::likeUser`. Since the contract gives no posibility of fund withdrawal, `bob`'s funds are now locked. Place `test_blockProfileAbuseCanCauseFundLoss` in `testSoulboundProfileNFT.t.sol`: ```js function test_blockProfileAbuseCanCauseFundLoss() public { vm.deal(bob, 10 ether); vm.deal(alice, 10 ether); // mint a profile NFT for bob vm.prank(bob); soulboundNFT.mintProfile("Bob", 25, "ipfs://profileImage"); // mint a profile NFT for Alice vm.prank(alice); soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage"); // alice <3 bob vm.prank(alice); likeRegistry.likeUser{value: 1 ether}(bob); vm.startPrank(owner); soulboundNFT.blockProfile(bob); assertEq(soulboundNFT.profileToToken(msg.sender), 0); vm.startPrank(bob); vm.expectRevert("Must have a profile NFT"); // bob is no longer able to like a user, as his profile NFT is deleted // his funds are effectively locked likeRegistry.likeUser{value: 1 ether}(alice); } ``` And run the test: ```bash $ forge test --mt test_blockProfileAbuseCanCauseFundLoss Ran 1 test for test/testSoulboundProfileNFT.t.sol:SoulboundProfileNFTTest [PASS] test_blockProfileAbuseCanCauseFundLoss() (gas: 326392) Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.42ms (219.63µs CPU time) Ran 1 test suite in 140.90ms (1.42ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` ## Impact App users can have their funds locked, as well as miss out on potential dates. ## Recommendations Add a voting mechanism to prevent abuse and/or centralization of the feature.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.