Back to maanas's contests

Lens Protocol V2 - maanas's results

An open technology stack, builders can create social front-ends or integrate Lens social capabilities.

General Information

Platform: Code4rena

Start Date: 17/07/2023

Pot Size: $85,500 USDC

Total HM: 11

Participants: 26

Period: 14 days

Judge: Picodes

Total Solo HM: 1

Id: 263

League: ETH

Lens Protocol

Findings Distribution

Researcher Performance

Rank: 6/26

Findings: 2

Award: $3,192.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLens Protocol

Findings Information

🌟 Selected for report: MiloTruck

Also found by: Prestige, maanas

Labels

bug
2 (Med Risk)
satisfactory
duplicate-145

Awards

1596.3587 USDC - $1,596.36

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L115-L125

Vulnerability details

Impact

In scenarios where a user fails to unfollow a profile before selling his follow NFT, he could forever be unable to unfollow the profile.

Proof of Concept

A user could sell his follow NFT without unfollowing a profile. If the new owner of the follow NFT doesn't set the user as the operator or doesn't remove the current user from being a follower, the user will forever be unable to unfollow the profile.

An example scenario would be:

  1. Follow NFT's of a particular profile gains monetary value and is being sold at high prices.
  2. A user following the profile decides to wrap and sell his Follow NFT but fails to unfollow.
  3. The user develops a bad relationship with the profile
  4. He wants to unfollow but is unable to

Tools Used

Manual Review

Allow a profile to unfollow even if the user is not the owner of the NFT.

Assessed type

Other

#0 - c4-pre-sort

2023-08-03T16:54:29Z

141345 marked the issue as duplicate of #145

#1 - c4-judge

2023-08-28T14:28:28Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-08-28T14:30:59Z

Picodes changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-08-28T14:37:36Z

This previously downgraded issue has been upgraded by Picodes

#4 - c4-judge

2023-08-28T17:52:43Z

Picodes marked the issue as not a duplicate

#5 - c4-judge

2023-08-28T17:52:53Z

Picodes marked the issue as duplicate of #145

Findings Information

🌟 Selected for report: MiloTruck

Also found by: juancito, maanas

Labels

bug
2 (Med Risk)
satisfactory
duplicate-143

Awards

1596.3587 USDC - $1,596.36

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/libraries/MigrationLib.sol#L60

Vulnerability details

Impact

Some profiles cannot be migrated to V2 if their handle tokenId has already been minted.

Proof of Concept

A handle can be minted in the LensHandles contract before a profile that would have the same handle is migrated from V1.

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/namespaces/LensHandles.sol#L87-L94

When the profile attempts to migrate, it would revert since the handle tokenId has already been minted. Hence the profile will be unable to migrate to V2.

Tools Used

Manual Review

Before minting a handle check whether it belongs to a V1 profile.

Assessed type

Other

#0 - c4-pre-sort

2023-08-03T17:09:55Z

141345 marked the issue as duplicate of #143

#1 - c4-judge

2023-08-28T15:57:16Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter