Back to AlexCzm's contests

Lens Protocol V2 - AlexCzm's results

An open technology stack, builders can create social front-ends or integrate Lens social capabilities.

General Information

Platform: Code4rena

Start Date: 17/07/2023

Pot Size: $85,500 USDC

Total HM: 11

Participants: 26

Period: 14 days

Judge: Picodes

Total Solo HM: 1

Id: 263

League: ETH

Lens Protocol

Findings Distribution

Researcher Performance

Rank: 16/26

Findings: 1

Award: $31.38

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLens Protocol

Findings Information

🌟 Selected for report: MiloTruck

Also found by: 0xAnah, AlexCzm, Bughunter101, BugzyVonBuggernaut, DavidGiladi, Emmanuel, Iurii3, Kaysoft, MohammedRizwan, Prestige, Rolezn, Sathish9098, Stormreckson, adeolu, descharre, evmboi32, fatherOfBlocks, ginlee, ihtishamsudo, juancito, mrudenko, tnquanghuy0512

Awards

31.3772 USDC - $31.38

Labels

bug
grade-b
QA (Quality Assurance)
Q-02

External Links

Link to GitHub issue

Low Severity Findings

[L-01] Use cached storage variable instead of getProfile again

ProfileLib#createProfile: use cached _profile instead of querying profileId again:

....
        Types.Profile storage _profile = StorageLib.getProfile(profileId);
        _profile.imageURI = createProfileParams.imageURI;
        bytes memory followModuleReturnData;
        if (createProfileParams.followModule != address(0)) {
            // Load the follow module to be used in the next assembly block.
            address followModule = createProfileParams.followModule;
            StorageLib.getProfile(profileId).followModule = followModule; //@audit use cached `_profile`
...

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/libraries/ProfileLib.sol#L44C11-L53

[L-02] Remove commented code

Remove commented code from LensV2UpgradeContracts#executeLensV2Upgrade()

    function executeLensV2Upgrade() external onlyOwner {
        // _preUpgradeChecks();
        _upgrade();
        // _postUpgradeChecks();
    }

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/misc/LensV2UpgradeContract.sol#L44-L48

[L-03] Unused return data

There are 2 cases where return data is not used:

  • MigrationLib#IFollowModule(newFeeFollowModule).initializeFollowModule ignores return value
IFollowModule(newFeeFollowModule).initializeFollowModule({
                    profileId: profileIds[i],
                    transactionExecutor: msg.sender,
                    data: abi.encode(
                        feeFollowModuleData.currency,
                        feeFollowModuleData.amount,
                        feeFollowModuleData.recipient
                    )
                });

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/libraries/MigrationLib.sol#L157C29-L165

  • FollowNftProxy#constructor() ignores return value
        ILensHub(msg.sender).getFollowNFTImpl().functionDelegateCall(data);

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/base/upgradeability/FollowNFTProxy.sol#L15C12-L15C12

Check return value appropriately or if not, document why this is not necessary.

Non Critical Findings

###[N-01] Duplicated natspec param metadataURI @param for Types.sol#Profile struct is mentioned twice

...
     * @param metadataURI MetadataURI is used to store the profile's metadata, for example: displayed name, description,
     * interests, etc.
     * @param metadataURI The URI to be used for the profile's metadata.
     */

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/libraries/constants/Types.sol#L100-L103

#0 - c4-judge

2023-08-28T18:21:44Z

Picodes marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter