Back to danb's contests

Aave Lens contest - danb's results

Web3 permissionless, composable & decentralized social graph

General Information

Platform: Code4rena

Start Date: 10/02/2022

Pot Size: $100,000 USDC

Total HM: 13

Participants: 21

Period: 7 days

Judge: leastwood

Total Solo HM: 10

Id: 85

League: ETH

Aave Lens

Findings Distribution

Researcher Performance

Rank: 3/21

Findings: 2

Award: $13,481.36

🌟 Selected for report: 2

🚀 Solo Findings: 2

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAave Lens

Findings Information

🌟 Selected for report: danb

Labels

bug
2 (Med Risk)
resolved
sponsor confirmed

Awards

6740.682 USDC - $6,740.68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L49

Vulnerability details

When someone tries to follow a profile, it checks if the handle exists, and if it doesn't, it reverts because the profile is deleted. The problem is that there might be a new profile with the same handle as the deleted one, allowing following deleted profiles.

Proof of Concept

Alice creates a profile with the handle "alice." The profile id is 1. she deleted the profile. she opens a new profile with the handle "alice". The new profile id is 2. bob tries to follow the deleted profile (id is 1). the check

if (_profileIdByHandleHash[keccak256(bytes(handle))] == 0)
	revert Errors.TokenDoesNotExist();

doesn't revert because there exists a profile with the handle "alice". Therefore bob followed a deleted profile when he meant to follow the new profile.

change to:

if (_profileIdByHandleHash[keccak256(bytes(handle))] != profileIds[i])
	revert Errors.TokenDoesNotExist();

#0 - Zer0dot

2022-03-18T18:03:27Z

Will be changed to use the new exists() terminology. Valid!

#1 - Zer0dot

2022-03-18T19:35:19Z

Correction, we won't be using exists() to prevent extra calls, adding this comment!

#2 - Zer0dot

2022-03-18T19:41:03Z

Resolved in https://github.com/aave/lens-protocol/pull/69

#3 - 0xleastwood

2022-05-04T21:09:42Z

Nice find!

Findings Information

🌟 Selected for report: danb

Labels

bug
2 (Med Risk)
resolved
sponsor confirmed

Awards

6740.682 USDC - $6,740.68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L929

Vulnerability details

All the external function of LensHub have whenNotPasued modifier. However, LensHub is erc721 and the transfer function doesn't have the whenNotPaused modifier.

Impact

In case where the governance wants to stop all activity, they still can't stop transferring profiles nfts. an example where stopping transferring tokens was actually very helpful: https://mobile.twitter.com/flashfish0x/status/1466369783016869892

add whenNotPasued to _beforeTokenTransfer

#0 - Zer0dot

2022-03-22T15:29:17Z

Nice! Addressed in https://github.com/aave/lens-protocol/pull/75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter