Platform: Code4rena
Start Date: 17/07/2023
Pot Size: $85,500 USDC
Total HM: 11
Participants: 26
Period: 14 days
Judge: Picodes
Total Solo HM: 1
Id: 263
League: ETH
Rank: 8/26
Findings: 2
Award: $430.47
π Selected for report: 0
π Solo Findings: 0
399.0897 USDC - $399.09
A bug has been discovered in the process of unfollowing a wrapped token in the existing system. The current implementation does not allow the user who initially followed a wrapped token (newFollowerProfileId) to unfollow it. This limitation arises due to the absence of a condition to handle this case in the unFollow function.
The _followWithWrappedToken function in the system contains the following logic:
_replaceFollower({ currentFollowerProfileId: _followDataByFollowTokenId[followTokenId].followerProfileId, newFollowerProfileId: followerProfileId, followTokenId: followTokenId });
In this function, currentFollowerProfileID, newFollowerProfileID, and followTokenID are set.
However, when the new follower attempts to unfollow the token, the system does not provide the functionality to do so. The unFollow function includes a series of checks to verify permissions, but it does not consider the the follower of the nft.
address unfollowerProfileOwner = IERC721(HUB).ownerOf(unfollowerProfileId); // Follower profile owner or its approved delegated executor must hold the token or be approved-for-all. if ( (followTokenOwner != unfollowerProfileOwner) && (followTokenOwner != transactionExecutor) && !isApprovedForAll(followTokenOwner, transactionExecutor) && !isApprovedForAll(followTokenOwner, unfollowerProfileOwner) ) { revert DoesNotHavePermissions();
This results in the inability for the new follower to unfollow the NFT token after he had been approved and he follows it, creating a limitation in the user experience and the overall functionality of the system.
None
Add functionality to handle the case of if the follower of the NFT wants to unfollow it
Context
#0 - 141345
2023-08-03T13:06:14Z
seems invalid
misunderstanding of line 118 check, it does not look like will revert
File: contracts\FollowNFT.sol 118: if ( 119: (followTokenOwner != unfollowerProfileOwner) && 120: (followTokenOwner != transactionExecutor) && 121: !isApprovedForAll(followTokenOwner, transactionExecutor) && 122: !isApprovedForAll(followTokenOwner, unfollowerProfileOwner) 123: ) { 124: revert DoesNotHavePermissions(); 125: }
#1 - c4-pre-sort
2023-08-04T12:14:36Z
141345 marked the issue as low quality report
#2 - c4-sponsor
2023-08-10T15:45:31Z
vicnaum marked the issue as disagree with severity
#3 - vicnaum
2023-08-10T15:45:43Z
If this means the same as #145 - then it seems like a valid issue. Same as #145 it should be Low
#4 - Picodes
2023-08-28T14:27:28Z
This report is a low-quality duplicate of #145. ("This results in the inability for the new follower to unfollow the NFT token after he had been approved and he follows it, creating a limitation in the user experience and the overall functionality of the system.")
#5 - c4-judge
2023-08-28T14:27:45Z
Picodes marked the issue as duplicate of #145
#6 - c4-judge
2023-08-28T14:27:50Z
Picodes marked the issue as partial-50
#7 - c4-judge
2023-08-28T14:27:54Z
Picodes marked the issue as partial-25
π Selected for report: MiloTruck
Also found by: 0xAnah, AlexCzm, Bughunter101, BugzyVonBuggernaut, DavidGiladi, Emmanuel, Iurii3, Kaysoft, MohammedRizwan, Prestige, Rolezn, Sathish9098, Stormreckson, adeolu, descharre, evmboi32, fatherOfBlocks, ginlee, ihtishamsudo, juancito, mrudenko, tnquanghuy0512
31.3772 USDC - $31.38
Floating pragma is used (low)
Vulnerability details:
Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the pragma (for e.g. by not using ^ in pragma solidity ^0.8.15)
Impact:
avoids that contracts do not accidentally get deployed using an older compiler version with unfixed bugs.
POC: Present in all files
Tools used: None
Recommended Mitigation Steps:
The correct will be pragma solidity 0.8.x; (choice of team)
And should be made across all the imports.
Lack of checks
Vulnerability details:
The current implementation of our smart contract constructor does not include any form of input validation for its parameters.
Impact:
This lack of checks can potentially lead to erroneous assignments, and in worst-case scenarios, security vulnerabilities.
POC:
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2Migration.sol
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2UpgradeContract.sol
Tools used: None
Recommended Mitigation Steps:
Ideally, each of the contract address parameters e.g (moduleGlobals, followNFTImpl, collectNFTImpl, lensHandlesAddress, tokenHandleRegistryAddress, legacyFeeFollowModule, legacyProfileFollowModule, newFeeFollowModule) should be validated for legitimacy. They should be non-zero addresses and should correspond to the expected contract interface.
Misleading Error Message
Vulnerability details:
In the current implementation of the unfollow function, when followNFT resolves to a zero address (address(0)), the function reverts with Errors.NotFollowing(). This error message suggests that the user is not following the profile they are attempting to unfollow. However, a zero address for followNFT is more indicative of the profile NFT not existing, rather than the user not following the profile.
Impact: Confusing error message
Tools used: None
Recommended Mitigation Steps:
Replace the Errors.NotFollowing() error message with a more suitable error message such as Errors.NFTDoesNotExist()- create a new error message that accurately represents the situation. This will make the error handling more descriptive and accurate, thus improving debugging and issue resolution.
open TODO
Vulnerability details:
There's an open TODO in the ProtocolState enum, concerning the reordering of enum members so that Paused becomes 0 and the default state.
Impact:
Protocol not fully implementing its required upgrades
Tools used: None
Recommended Mitigation Steps:
completion of this TODO. Carefully plan the change, update the enum order, and simultaneously update any dependent code to prevent unwanted side effects. Thoroughly test the changes to ensure the protocol behaves as expected.
open TODO
Vulnerability details:
The project files show inconsistencies in the specified Solidity pragma versions, with some files using ^0.8.19 and others using ^0.8.15 and ^0.8.18
Impact:
This variation could potentially lead to compatibility issues, unpredictable behavior, or deployment difficulties, especially when newer versions of Solidity introduce breaking changes or when features exclusive to certain versions are used.
POC: ^0.8.19: https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MigrationLib.sol
^0.8.19 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/misc/LensV2UpgradeContract.sol
^0.8.18 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/namespaces/TokenHandleRegistry.sol
^0.8.15, other files AFAIK
Tools used: None
Recommended Mitigation Steps:
Standardize the Solidity version across all project files. If possible, upgrade all contracts to the latest and same version (^0.8.19 in this context). It's necessary to thoroughly test all functionalities post-upgrade to ensure no breaking changes were introduced with the newer version.
Open TODO in getHandle Function Regarding Non-Existent Tokens
Vulnerability details:
An open TODO comment in the getHandle function questions whether the function should revert if a given tokenId does not exist. Currently, the function proceeds to concatenate localName and NAMESPACE, regardless of whether the tokenId exists or not.
Impact:
This could potentially lead to unexpected behavior or return misleading information if the tokenId doesn't correspond to a valid entity.
Tools used: None
Recommended Mitigation Steps:
Resolve the TODO by implementing a validation check for the existence of the tokenId before proceeding with the getLocalName function and subsequent operations. If the tokenId does not exist, it may be appropriate to revert the transaction with an explanatory error message.