Back to Bughunter101's contests

Lens Protocol V2 - Bughunter101's results

An open technology stack, builders can create social front-ends or integrate Lens social capabilities.

General Information

Platform: Code4rena

Start Date: 17/07/2023

Pot Size: $85,500 USDC

Total HM: 11

Participants: 26

Period: 14 days

Judge: Picodes

Total Solo HM: 1

Id: 263

League: ETH

Lens Protocol

Findings Distribution

Researcher Performance

Rank: 24/26

Findings: 1

Award: $31.38

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLens Protocol

Findings Information

🌟 Selected for report: MiloTruck

Also found by: 0xAnah, AlexCzm, Bughunter101, BugzyVonBuggernaut, DavidGiladi, Emmanuel, Iurii3, Kaysoft, MohammedRizwan, Prestige, Rolezn, Sathish9098, Stormreckson, adeolu, descharre, evmboi32, fatherOfBlocks, ginlee, ihtishamsudo, juancito, mrudenko, tnquanghuy0512

Awards

31.3772 USDC - $31.38

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
Q-21

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2Migration.sol#L33 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2Migration.sol#L37 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2Migration.sol#L45

Vulnerability details

Impact

In case where the governance wants to stop all activity, they still can't stop migrate. And this problem just like this: https://github.com/code-423n4/2022-02-aave-lens-findings/issues/71

Proof of Concept

As we can see, The LenHub is inherits from LensV2Migration. And all the external function of LensHub have whenNotPasued modifier. However, the LensV2Migration 's function does not have the whenNotPasued modifier.

contract LensHub is
    LensProfiles,
    LensGovernable,
    LensV2Migration,
    LensImplGetters,
    LensHubEventHooks,
    LensHubStorage,
    ILensProtocol
{

Tools Used

vs code

add whenNotPasued to all the external function of LensV2Migration. And we can refer to this issue: https://github.com/code-423n4/2022-02-aave-lens-findings/issues/71

Assessed type

Error

#0 - c4-pre-sort

2023-08-04T12:41:58Z

141345 marked the issue as duplicate of #108

#1 - c4-judge

2023-08-28T14:10:20Z

Picodes changed the severity to QA (Quality Assurance)

#2 - c4-judge

2023-08-28T21:03:56Z

Picodes marked the issue as grade-b

#3 - c4-judge

2023-08-31T16:29:32Z

This previously downgraded issue has been upgraded by Picodes

#4 - c4-judge

2023-08-31T16:31:22Z

Picodes marked the issue as not a duplicate

#5 - c4-judge

2023-08-31T16:31:28Z

Picodes changed the severity to QA (Quality Assurance)

#6 - Picodes

2023-08-31T16:32:03Z

Unlike #144 and #108, this report doesn't justify why this would be needed and why it was the sponsor's intent. I'll therefore keep it in QA.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter