Platform: Code4rena
Start Date: 10/02/2022
Pot Size: $100,000 USDC
Total HM: 13
Participants: 21
Period: 7 days
Judge: leastwood
Total Solo HM: 10
Id: 85
League: ETH
Rank: 4/21
Findings: 3
Award: $12,374.72
π Selected for report: 3
π Solo Findings: 1
3033.3069 USDC - $3,033.31
In the current implementation, even when the profile's owner burnt the ProfileNFT, as the profile's legacy, the publications can still be collected.
However, if the publication is a Mirror and there is a referralFee set by the original publication, the user won't be able to collect from a Mirror that was published by a burned profile.
if (referralFee != 0) { // The reason we levy the referral fee on the adjusted amount is so that referral fees // don't bypass the treasury fee, in essence referrals pay their fair share to the treasury. uint256 referralAmount = (adjustedAmount * referralFee) / BPS_MAX; adjustedAmount = adjustedAmount - referralAmount; address referralRecipient = IERC721(HUB).ownerOf(referrerProfileId); IERC20(currency).safeTransferFrom(collector, referralRecipient, referralAmount); }
When a mirror is collected, what happens behind the scenes is the original, mirrored publication is collected, and the mirror publisher's profile ID is passed as a "referrer."
In _processCollectWithReferral(), if there is a referralFee, contract will read referralRecipient from IERC721(HUB).ownerOf(referrerProfileId), if referrerProfileId is burned, the IERC721(HUB).ownerOf(referrerProfileId) will revert with ERC721: owner query for nonexistent token.
However, since we wish to allow the content to be collected, we should just treat referrals as non-existent in this situation.
Change to:
try IERC721(HUB).ownerOf(referrerProfileId) returns (address referralRecipient) { uint256 referralAmount = (adjustedAmount * referralFee) / BPS_MAX; adjustedAmount = adjustedAmount - referralAmount; address referralRecipient = IERC721(HUB).ownerOf(referrerProfileId); IERC20(currency).safeTransferFrom(collector, referralRecipient, referralAmount); } catch { emit LogNonExistingReferrer(referrerProfileId); }
#0 - Zer0dot
2022-03-21T23:24:50Z
This is valid! However, here's what I commented on #14 :
"This is only an issue when a profile is deleted (burned), in which case UIs have multiple choices:
1. Stop displaying all the burnt profile's publications 2. Redirect users, when collecting mirrors, to the original publication 3. Prevent all collects
I don't think this adds any risk to the protocol and although it's valid, we will not be taking any action."
π Selected for report: WatchPug
6740.682 USDC - $6,740.68
In the current implementation, when there is a fee on follow or collect, users need to approve to the follow modules or collect module contract, and then the Hub contract can call processFollow() and transfer funds from an arbitrary address (as the follower parameter).
function processFollow( address follower, uint256 profileId, bytes calldata data ) external override onlyHub { uint256 amount = _dataByProfile[profileId].amount; address currency = _dataByProfile[profileId].currency; _validateDataIsExpected(data, currency, amount); (address treasury, uint16 treasuryFee) = _treasuryData(); address recipient = _dataByProfile[profileId].recipient; uint256 treasuryAmount = (amount * treasuryFee) / BPS_MAX; uint256 adjustedAmount = amount - treasuryAmount; IERC20(currency).safeTransferFrom(follower, recipient, adjustedAmount); IERC20(currency).safeTransferFrom(follower, treasury, treasuryAmount); }
A common practice is asking users to approve an unlimited amount to the contracts. Normally, the allowance can only be used by the user who initiated the transaction.
It's not a problem as long as transferFrom will always only transfer funds from msg.sender and the contract is non-upgradable.
However, the LensHub contract is upgradeable, and FeeFollowModule will transferFrom an address decided by an input parameter follower, use of upgradeable proxy contract structure allows the logic of the contract to be arbitrarily changed.
This allows the proxy admin to perform many malicious actions, including taking funds from users' wallets up to the allowance limit.
This action can be performed by the malicious/compromised proxy admin without any restriction.
Given:
1 uses FeeCollectModule with currency = WETH and amount = 1e18approve() type(uint256).max to FeeCollectModule and follow() profileId 1 with 1e18 WETH;upgradeToAndCall() on the proxy contract and set a malicious contract as newImplementation, adding a new functions:function rugFollow(address follower, address followModule, uint256 profileId, bytes calldata data) external { IFollowModule(followModule).processFollow( follower, profileIds, data ); }
FeeCollectModule and set currency = WETH and amount = 1,000,000, got profileId = 2rugFollow() with follower = Alice, profileId = 2, stolen 1,000,000 WETH from Alice's walletImproper management of users' allowance is the root cause of some of the biggest attacks in the history of DeFi security. We believe there are 2 rules that should be followed:
from of transferFrom should always be msg.sender;allowance should always be non-upgradable.We suggest adding a non-upgradeable contract for processing user payments:
function followWithFee(uint256 profileId, bytes calldata data) external { (address currency, uint256 amount) = abi.decode(data, (address, uint256)); IERC20(currency).transferFrom(msg.sender, HUB, amount); uint256[] memory profileIds = new uint256[](1); profileIds[0] = profileId; bytes[] memory datas = new bytes[](1); datas[0] = data; IHUB(HUB).follow(profileIds, datas); }
This comes with an additional benefit: users only need to approve one contract instead of approving multiple follow or collect module contracts.
#0 - Zer0dot
2022-03-18T19:52:32Z
This is true, but is within the acceptable risk model.
#1 - 0xleastwood
2022-05-04T20:52:36Z
While I agree with the warden, this assumes that the admin acts maliciously. As such, I think medium risk is more in line with a faulty governance.
#2 - Zer0dot
2022-05-13T01:43:42Z
I still relatively disagree with severity, as with #26 faulty governance is an acceptable risk parameter. Though we should have been more clear that this is the case!
#3 - 0xleastwood
2022-05-13T08:52:52Z
I agree with you fully here, but again it comes down to the judging guidelines which might change in the future. The stated attack vector has stated assumptions which leads to a loss of funds.
2 β Med (M): vulns have a risk of 2 and are considered βMediumβ severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Per the comment in ApprovalFollowModule, it aims to create a whitelist system:
This follow module only allows addresses that are approved for a profile by the profile owner to follow.
However, the current implementation only validates if _approvedByProfileByOwner when minting a new followNFT. But since the follow relationship is verified by the followNFT and the followNFT can be transferred to an arbitrary address.
As a result, a non-whitelisted address can bypass the whitelist by buying the followNFT from a whitelisted address.
The followModuleTransferHook can be used for blocking transfers to unapproved addresses.
function validateFollow( uint256 profileId, address follower, uint256 followNFTTokenId ) external view override { address followNFT = ILensHub(HUB).getFollowNFT(profileId); if (followNFT == address(0)) revert Errors.FollowInvalid(); if (followNFTTokenId == 0) { // check that follower owns a followNFT if (IERC721(followNFT).balanceOf(follower) == 0) revert Errors.FollowInvalid(); } else { // check that follower owns the specific followNFT if (IERC721(followNFT).ownerOf(followNFTTokenId) != follower) revert Errors.FollowInvalid(); } }
Alice created a private club and selected ApprovalFollowModule with 100 addresses of founding members and wanted to publish publications that can only be collected by those addresses;
Bob as founding members of Alice's private club, decides to sell his membership to Charlie by transfering the followNFT to Charlie, Charlie's address has never be approved by Alice, but he is now a follower in Alice's private club.
Change to:
function followModuleTransferHook( uint256 profileId, address from, address to, uint256 followNFTTokenId ) external override { address owner = IERC721(HUB).ownerOf(profileId); if (!_approvedByProfileByOwner[owner][profileId][to]) revert Errors.FollowNotApproved(); _approvedByProfileByOwner[owner][profileId][to] = false; // prevents repeat follows }
#0 - oneski
2022-02-17T01:27:03Z
this is by design. a more sophisticated module could implement non-transferable behavior or allow transfer only to approved addresses.
#1 - 0xleastwood
2022-05-05T13:36:00Z
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
#2 - Zer0dot
2022-05-13T01:48:10Z
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them.
Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
#3 - 0xleastwood
2022-05-13T14:19:58Z
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them.
Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
#4 - Zer0dot
2022-05-13T14:28:14Z
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them. Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
Yeah although it's valid enough, this is just how the module works.
#5 - 0xleastwood
2022-05-13T14:33:46Z
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them. Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
Yeah although it's valid enough, this is just how the module works.
Okay, QA it is good ser
#6 - liveactionllama
2022-05-17T02:18:39Z
Per conversation with the judge ( @0xleastwood ), confirmed this issue is categorized as low risk.