Platform: Code4rena
Start Date: 17/07/2023
Pot Size: $85,500 USDC
Total HM: 11
Participants: 26
Period: 14 days
Judge: Picodes
Total Solo HM: 1
Id: 263
League: ETH
Rank: 26/26
Findings: 1
Award: $31.38
π Selected for report: 0
π Solo Findings: 0
π Selected for report: MiloTruck
Also found by: 0xAnah, AlexCzm, Bughunter101, BugzyVonBuggernaut, DavidGiladi, Emmanuel, Iurii3, Kaysoft, MohammedRizwan, Prestige, Rolezn, Sathish9098, Stormreckson, adeolu, descharre, evmboi32, fatherOfBlocks, ginlee, ihtishamsudo, juancito, mrudenko, tnquanghuy0512
31.3772 USDC - $31.38
https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L118-L123 https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L131-L138 https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L141-L153 https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L311-L339
The users who got access to followNFT by got the approval by owner using approve()
In the contract FollowNFT, authorizing the permision to execute some function got check by:
setApprovalForAll() by the ownerThis means, the executers who got approve() by the owner will not be able to execute some functions which are:
LensHub.unfollow()LensHub.unfollowWithSig()LensHub.follow()LensHub.followWithSig()FollowNFT.removeFollower()FollowNFT.approveFollow()function unfollow(uint256 unfollowerProfileId, address transactionExecutor) external override onlyHub { ... if ( (followTokenOwner != unfollowerProfileOwner) && (followTokenOwner != transactionExecutor) && !isApprovedForAll(followTokenOwner, transactionExecutor) && !isApprovedForAll(followTokenOwner, unfollowerProfileOwner) ) { revert DoesNotHavePermissions(); } ... } }
function removeFollower(uint256 followTokenId) external override { ... if (followTokenOwner == msg.sender || isApprovedForAll(followTokenOwner, msg.sender)) { ... } else { revert DoesNotHavePermissions(); } }
function approveFollow(uint256 followerProfileId, uint256 followTokenId) external override { ... if (followTokenOwner != msg.sender && !isApprovedForAll(followTokenOwner, msg.sender)) { revert DoesNotHavePermissions(); } ... }
function _followWithWrappedToken( uint256 followerProfileId, address transactionExecutor, uint256 followTokenId, address followTokenOwner ) internal returns (uint256) { ... if ( !isFollowApproved && followTokenOwner != followerProfileOwner && followTokenOwner != transactionExecutor && !isApprovedForAll(followTokenOwner, transactionExecutor) && !isApprovedForAll(followTokenOwner, followerProfileOwner) ) { revert DoesNotHavePermissions(); } ... }
VSCode
Add LensBaseERC721.getApproved() in the requirements or use LensBaseERC721._isApprovedOrOwner()
Invalid Validation
#0 - donosonaumczuk
2023-08-08T16:24:45Z
We accept the issue but it cannot be Medium, it's not risking anything. This is more QA, as it's just providing more options, almost like "Better UX".
#1 - c4-sponsor
2023-08-08T16:24:49Z
donosonaumczuk marked the issue as disagree with severity
#2 - c4-judge
2023-08-28T18:00:40Z
Picodes changed the severity to QA (Quality Assurance)
#3 - Picodes
2023-08-28T18:01:24Z
There is no explanation of why the absence of these functionalities would lead to a Med issue
#4 - c4-judge
2023-08-28T20:46:43Z
Picodes marked the issue as grade-b