han/2025-02-datingdapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
2025-02-datingdapp/audit/M-03.md
han 09ed9015e5
Some checks failed
CI / Foundry project (push) Has been cancelled
Details
add valid finding, ai finding, and retro
2025-03-08 23:24:27 +07:00

2.4 KiB
Raw Permalink Blame History

M-03. App owner can have users' funds locked by blocking them

Valid medium finding by someone else

Summary

App owner can block users at will, causing users to have their funds locked.

Vulnerability Details

SoulboundProfileNFT::blockProfile can block any app's user at will.

/// @notice App owner can block users
function blockProfile(address blockAddress) external onlyOwner {
    uint256 tokenId = profileToToken[blockAddress];
    require(tokenId != 0, "No profile found");

    _burn(tokenId);
    delete profileToToken[blockAddress];
    delete _profiles[tokenId];

    emit ProfileBurned(blockAddress, tokenId);
}

Proof of Concept

The following code demonstrates the scenario where the app owner blocks bob and he is no longer able to call LikeRegistry::likeUser. Since the contract gives no posibility of fund withdrawal, bob's funds are now locked.

Place test_blockProfileAbuseCanCauseFundLoss in testSoulboundProfileNFT.t.sol:

function test_blockProfileAbuseCanCauseFundLoss() public {
    vm.deal(bob, 10 ether);
    vm.deal(alice, 10 ether);

    // mint a profile NFT for bob
    vm.prank(bob);
    soulboundNFT.mintProfile("Bob", 25, "ipfs://profileImage");

    // mint a profile NFT for Alice
    vm.prank(alice);
    soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");

    // alice <3 bob
    vm.prank(alice);
    likeRegistry.likeUser{value: 1 ether}(bob);

    vm.startPrank(owner);
    soulboundNFT.blockProfile(bob);
    assertEq(soulboundNFT.profileToToken(msg.sender), 0);

    vm.startPrank(bob);
    vm.expectRevert("Must have a profile NFT");
    // bob is no longer able to like a user, as his profile NFT is deleted
    // his funds are effectively locked
    likeRegistry.likeUser{value: 1 ether}(alice);
}

And run the test:

$ forge test --mt test_blockProfileAbuseCanCauseFundLoss
Ran 1 test for test/testSoulboundProfileNFT.t.sol:SoulboundProfileNFTTest
[PASS] test_blockProfileAbuseCanCauseFundLoss() (gas: 326392)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.42ms (219.63µs CPU time)

Ran 1 test suite in 140.90ms (1.42ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

App users can have their funds locked, as well as miss out on potential dates.

Tools used

Manual review, tests

Recommendations

Add a voting mechanism to prevent abuse and/or centralization of the feature.