Platform: Code4rena
Start Date: 10/02/2022
Pot Size: $100,000 USDC
Total HM: 13
Participants: 21
Period: 7 days
Judge: leastwood
Total Solo HM: 10
Id: 85
League: ETH
Rank: 1/21
Findings: 6
Award: $31,816.01
π Selected for report: 5
π Solo Findings: 4
In the fee collect modules like FeeCollectModule, the initializePublicationCollectModule checks if the fee amount that each user needs to pay is at least >= BPS_MAX = 10_000.
For certain currencies with fewer decimals this is too restrictive.
As an example, WBTC has 8 decimals and 10_000 WBTC would already be 1e4/1e8 * 50_000$ = 5$ per collect which might be above what the publication owner wants to charge.
Certain currencies can effectively not be used in the system.
Consider removing the amount restrictions and just checking amount > 0.
#0 - Zer0dot
2022-02-15T02:03:17Z
Actually a good point!
#1 - Zer0dot
2022-03-21T22:57:42Z
Duplicate of #46
π Selected for report: cmichel
6740.682 USDC - $6,740.68
The LensHub/PublishingLogic.createProfile function can be frontrun by other whitelisted profile creators.
An attacker can observe pending createProfile transactions and frontrun them, own that handle, and demand ransom from the original transaction creator.
Everyone needs to use flashbots / private transactions but it might not be available on the deployed chain. A commit/reveal scheme for the handle and the entire profile creation could mitigate this issue.
#0 - oneski
2022-02-16T20:29:33Z
Declined. This is by design. Governance can allow contracts/addresses to mint. If governance allows a malicious actor that is the fault of governance. Governance can also allow contracts that implement auction/commit reveal or other functionality as well to manage the profile minting system.
The protocol should take no opinion on this by default.
#1 - 0xleastwood
2022-05-04T12:47:43Z
While I agree that this is the fault of the governance, I think it still stands that any whitelisted user may be compromised or become malicious at a later point in time. For that reason, I think this issue has some validity although due to the unlikely nature (requiring a faulty governance), I'll mark this as medium risk for now.
#2 - Zer0dot
2022-05-13T01:39:26Z
While I agree that this is the fault of the governance, I think it still stands that any whitelisted user may be compromised or become malicious at a later point in time. For that reason, I think this issue has some validity although due to the unlikely nature (requiring a faulty governance), I'll mark this as
mediumrisk for now.
I disagree on the medium risk. Governance being faulty is not enough of a reason IMO. Like most governance-included protocols, governance getting compromised bears risks that are largely unavoidable.
#3 - 0xleastwood
2022-05-13T08:55:27Z
While I agree that a faulty governance is an extremely unlikely outcome. It isn't stated in the README and as per the judges guidelines, profiles can be front-run under specific stated assumptions/external requirements. A malicious whitelisted profile creator can reasonably front-run other creators.
2 β Med (M): vulns have a risk of 2 and are considered βMediumβ severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
#4 - Zer0dot
2022-05-13T14:07:20Z
Fair enough, though we were aware of this-- it's clear it falls into a medium severity. We're acknowledging this!
π Selected for report: cmichel
Creating profiles through LensHub/PublishingLogic.createProfile does not cost anything and will therefore result in "name squatting".
A whitelisted profile creator will create many handles that are in demand, even if they don't need them, just to flip them for a profit later.
This ruins the experience for many high-profile users that can't get their desired handle.
Consider auctioning off handles to the highest bidder or at least taking a fee such that the cost of name squatting is not zero.
#0 - oneski
2022-02-16T20:28:06Z
Declined. This is by design. Governance can allow contracts/addresses to mint. If governance allows a malicious actor that is the fault of governance. Governance can also allow contracts that implement auction or other functionality as well to manage the profile minting system.
The protocol should take no opinion on this by default.
#1 - 0xleastwood
2022-05-04T12:49:31Z
I will mark this as medium risk for the same reasons outlined in #26
π Selected for report: cmichel
Also found by: csanuragjain, gzeon
1819.9841 USDC - $1,819.98
In the fee collect modules like FeeCollectModule there is no prevention of someone submitting a second profile they own as the referrerProfileId in processCollect to receive back part of the fees paid.
The referral system is essentially broken as all rational agents will submit a second profile they control to get back part of the fees. One could even create a referrer smart contract profile that anyone can submit which automatically refunds the fee received. A similar royalties/referral fees issue was judged high-severity recently.
There's no way to avoid this except by not allowing any profile as a referrer. Whitelist certain important infrastructure providers, like different frontends, as referrers and only allow these to be used instead of users submitting their alt profiles.
#0 - Zer0dot
2022-02-15T02:43:18Z
Not sure if this makes sense, using your own referrer as a profile would basically be the equivalent of just having your publication collected directly without referral. In which case, what is the vulnerability?
#1 - donosonaumczuk
2022-03-21T19:58:16Z
I think they mean the case where Alice posts something and Bob wants to collect it. So Bob instead of just collecting directly from Alice publication, he creates a secondary profile, Bob2, mirrors publication through Bob2 and now Bob collects through Bob2's mirror, basically using the referral fee as a collecting discount for himself.
Even if we enforce referral profile owner to be different than collecting profile owner (aka comparing ownerOf(profileId) instead of profileId) people can just use different addresses for the purpose.
I saw this before but I assumed most of people will use the frontend, which will handle this automatically. But I believe that in the long term is possible that people learn the trick and, as rational agents, use it.
Awaiting for @Zer0dot thoughts on this.
#2 - Zer0dot
2022-03-21T22:41:32Z
I see, thanks @donosonaumczuk, at the end of the day this is a social protocol. Just like how on legacy social media, users can spam/abuse things, it's a given here that we will never have a fully foolproof system. Plus, with the chain history being visible, tools can (and I'd like to see them) be built to filter out nasty behavior. @oneski want to weigh in?
#3 - donosonaumczuk
2022-03-25T15:13:34Z
I think there is nothing more to do here
#4 - 0xleastwood
2022-05-04T18:03:58Z
I think its naive to think that this will be properly handled by the front-end and won't be abused by users at some point in time. As such, I'm inclined to treat this as a valid medium risk issue because it fits the category of value leakage by the protocol. However, I can understand that there is no easy fix to this because it is impossible to link EOAs as originating from the same person.
#5 - Zer0dot
2022-05-12T17:17:18Z
Yeah I think that's fair, since we're dealing with a social protocol there's a degree of social "etiquette" expected from users. Since this does not harm the protocol or the original publication creator, I don't see it as a significant flaw. However, it does of course harm curators. I tend to disagree on the point about frontends @0xleastwood though, it seems to me that if this were to be a problem, it would be fairly straightforward to point fingers at those abusing the system.
#6 - 0xleastwood
2022-05-13T08:41:04Z
Yeah I think that's fair, since we're dealing with a social protocol there's a degree of social "etiquette" expected from users. Since this does not harm the protocol or the original publication creator, I don't see it as a significant flaw. However, it does of course harm curators. I tend to disagree on the point about frontends @0xleastwood though, it seems to me that if this were to be a problem, it would be fairly straightforward to point fingers at those abusing the system.
While I understand an attacker would need to call functions directly to set this up, I'm not fully onboard with the idea that we could punish users who abuse the system in such a way. As per the judging guidelines, any issue that leaks value from the protocol is medium risk.
2 β Med (M): vulns have a risk of 2 and are considered βMediumβ severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
I think its perfectly find if this issue is acknowledged and you guys have decided to handle it through front-end design. However, it does not take away from the fact that it is still somewhat of an exploit.
#7 - Zer0dot
2022-05-13T14:05:04Z
Fair enough! We can roll with medium.
π Selected for report: cmichel
6740.682 USDC - $6,740.68
The ApprovalFollowModule.approve function is indexed by both (owner = IERC721(HUB).ownerOf(profileId), profileId) in case the profileId NFT is transferred.
However, upon transfer, the old approvals are not cleared.
This can lead to similar issues as OpenSea not cancelling their sale offers upon NFT transfer. When the NFT is at some point transferred back to the original owner, all the old approvals are still intact which might not be expected by the owner.
Consider resetting all approvals upon transfer.
#0 - Zer0dot
2022-02-15T02:43:58Z
This is known and acceptable, users should be able to check their approvals even if they don't have the profile.
#1 - Zer0dot
2022-03-21T23:20:39Z
Paging @oneski if you have any input
#2 - 0xleastwood
2022-05-05T13:28:03Z
I think this issue is entirely valid, it should not be on the users to manage their approvals so much. It would be much safer to wipe approvals on transfers and avoid this issue altogether.
#3 - 0xleastwood
2022-05-05T13:28:13Z
Keeping this issue open and as is.
#4 - donosonaumczuk
2022-05-12T17:01:15Z
I think this issue is entirely valid, it should not be on the users to manage their approvals so much. It would be much safer to wipe approvals on transfers and avoid this issue altogether.
I would say wiping on transfers is a bit annoying as I could be transfefring my profile between two addresses I own. It would be a better alternative to wipe on re-initialization by passing a boolean keepPreviousState flag (or something similar).
#5 - Zer0dot
2022-05-13T01:56:36Z
So after some more discussion, I think the points here are valid, but we were aware of this from the beginning. There are pros and cons to maintaining state. This module will not be present at launch and further iteration can modify it. Unfortunately there is no profile NFT transfer hook in follow modules currently. As this is still in my eyes not a direct vulnerability but more a caveat of how this specific system is designed, I would no longer dispute it but I would mark it as a low severity issue.
#6 - 0xleastwood
2022-05-13T08:37:21Z
So after some more discussion, I think the points here are valid, but we were aware of this from the beginning. There are pros and cons to maintaining state. This module will not be present at launch and further iteration can modify it. Unfortunately there is no profile NFT transfer hook in follow modules currently. As this is still in my eyes not a direct vulnerability but more a caveat of how this specific system is designed, I would no longer dispute it but I would mark it as a low severity issue.
While I agree with you that giving users the ability to save the previous state on transfer makes sense and understand that the necessary changes to do this can be put in place in the future. I think its best I stay consistent with the judging rulebook as per below:
2 β Med (M): vulns have a risk of 2 and are considered βMediumβ severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
I believe the functionality of the protocol is impacted in this scenario so I think its fair to keep this as medium risk.
#7 - Zer0dot
2022-05-13T14:10:48Z
Sounds fair, acknowledging. This is something we're going to look into deeper for newer or updated functionality (we won't be deploying this module yet).
π Selected for report: cmichel
Creating profiles through LensHub.createProfile requires the caller to be whitelisted.
function _validateCallerIsWhitelistedProfileCreator() internal view { if (!_profileCreatorWhitelisted[msg.sender]) revert Errors.ProfileCreatorNotWhitelisted(); }
However, a single whitelisted account can create as many profiles as they want and send the profile NFT to other users. They can create unlimited profiles on behalf of other users which makes the whitelist not effective.
Consider limiting the number of profile creations per whitelisted user or severely limiting who is allowed to create profiles, basically making profile creation a centralized system.
#0 - oneski
2022-02-16T20:16:37Z
Declined, this is by design.
Governance will decide what contracts are allowed to mint via the allowlist. If governance wishes to have a more centralized system, it will only approve contracts that have numerical caps within their code.
#1 - 0xleastwood
2022-05-05T13:25:56Z
I agree with the sponsor, I think this can already be handled by the governance strictly approving contracts with numerical caps or limiting the allowlist of who can create a profile. As such, I'm inclined to mark this as invalid because the recommendation can already be implemented or adhered to by the governance.
#2 - 0xleastwood
2022-05-05T13:39:58Z
In light of another issue, I will mark this as a valid issue because #66 outlines a similar concern. The two issues reference different parts of the codebase so I think its fair to keep them distinct. However, I'd normally like to see a bit more detail on how non-whitelisted users can benefit from an infinite minter.