Platform: Code4rena
Start Date: 10/02/2022
Pot Size: $100,000 USDC
Total HM: 13
Participants: 21
Period: 7 days
Judge: leastwood
Total Solo HM: 10
Id: 85
League: ETH
Rank: 9/21
Findings: 3
Award: $2,451.78
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cmichel
Also found by: csanuragjain, gzeon
User can refer themselves when collect in any CollectModule that collect fee. The will lead to value leak as user can always refer themselves to receive a referral fee as discount.
Check if referrer == collector. Alternatively, only allow existing collectors to earn referral fee to incentivize.
#0 - oneski
2022-02-16T21:58:26Z
as designed, collect modules can mitigate this behavior, but protocol shouldn't limit it.
duplicate.
#1 - 0xleastwood
2022-05-04T21:20:19Z
Duplicate of #20
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L57 Recommended to add check to make sure addresses supplied is not address(0)
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/CollectNFT.sol#L29 Recommended to add check to make sure addresses supplied is not address(0)
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/FollowNFT.sol#L48 Recommended to add check to make sure addresses supplied is not address(0)
CollectNFT/FollowNFT require the address of LensHub in the constructor, while LensHub require the address of CollectNFT and FollowNFT. While we can use a pre-computed address, it might be better to call the initializer from LensHub to set everything at once.
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L63 Recommended to add check to make sure newGovernance is not address(0)
The way _createComment coded is likely to prevent comment loop so pubCount is incremented after PublishingLogic.createComment. It looks a bit werid since other function use ++pubCount instead. Recommed to add soe comment here for future reference.
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L878
function _createComment(DataTypes.CommentData memory vars) internal { PublishingLogic.createComment( vars, _profileById[vars.profileId].pubCount + 1, _profileById, _pubByIdByProfile, _collectModuleWhitelisted, _referenceModuleWhitelisted ); _profileById[vars.profileId].pubCount++; }
To reduce risk of failed governance transfer, use a 2 steps process that require the new governance's interaction. https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L78
To reduce risk of failed governance transfer, use a 2 steps process that require the new governance's interaction. https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/ModuleGlobals.sol#L50
#0 - Zer0dot
2022-03-21T18:59:57Z
Various duplicates, we are not acting on any of this except the comment, which is a good point. On the point of input validation, this is true but the constructors and the LensHub initializer, being part of the initial setup, are within the trust assumptions (just like governance being a legitimate timelock controlled by a multisig etc)
Use uint(1) instead of bool(true) to save gas by avoiding masking ops https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/storage/LensHubStorage.sol#L59
mapping(address => bool) internal _profileCreatorWhitelisted; mapping(address => bool) internal _followModuleWhitelisted; mapping(address => bool) internal _collectModuleWhitelisted; mapping(address => bool) internal _referenceModuleWhitelisted;
It is virtually impossible for these counter to overflow https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L148
uint256 profileId = ++_profileCounter;
uint256 tokenId = ++_tokenIdCounter;
uint256 tokenId = ++_tokenIdCounter;
'.' must be < '0' https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/libraries/PublishingLogic.sol#L398
function _validateHandle(string calldata handle) private pure { bytes memory byteHandle = bytes(handle); if (byteHandle.length == 0 || byteHandle.length > Constants.MAX_HANDLE_LENGTH) revert Errors.HandleLengthInvalid(); for (uint256 i = 0; i < byteHandle.length; ++i) { if ( ((byteHandle[i] < '0' && byteHandle[i] != '.') || byteHandle[i] > 'z' || (byteHandle[i] > '9' && byteHandle[i] < 'a')) ) revert Errors.HandleContainsInvalidCharacters(); } }
bytes memory followModuleReturnData; if (vars.followModule != address(0)) { _profileById[profileId].followModule = vars.followModule; followModuleReturnData = _initFollowModule( profileId, vars.followModule, vars.followModuleData, _followModuleWhitelisted ); }else{ followModuleReturnData = new bytes(0); } _emitProfileCreated(profileId, vars, followModuleReturnData); }
#0 - Zer0dot
2022-03-21T19:16:42Z
So this is fairly low quality in that there is basically no explanation and it doesn't follow the required format, but anyway the unchecked increment thing is true, I'm looking at how best to implement that! Uint256 instead of bool is absolutely out of the question because it hugely disfavors readability.
I don't understand the handle validation, it's true that the UTF-8 representation of "." is 2e which is less than the representation of "0" which is 30, however, the check is there because if the character is equal to 2e then we should not revert, so as far as I can tell this is a necessary check.
We only accept the period, the range between "0" and "9" as well as the range between "a" and "b."
The final gas optimization is valid, good catch!
#1 - Zer0dot
2022-03-21T19:50:58Z
Correction, because it's assumed most users will use a follow module, this optimization (which does indeed reduce costs when there is no follow module to set) appears to increase costs in scenarios where users have follow modules.
#2 - Zer0dot
2022-03-24T14:04:32Z
Unchecked increments are valid though!
#3 - Zer0dot
2022-03-24T14:23:23Z
Specifically not addressed in a PR but in a commit: https://github.com/aave/lens-protocol/commit/589155643c98881d084dc32f8a55537d645a1f9b