When calling the initializeFollowModule function of the SecretCodeFollowModule contract, the passcode will be stored in _passcodeByProfile in plaintext, and the attacker can easily find the passcode from the polygon's transactions(or using the web3.eth.getStorageAt interface).
Considering that the passcode should be kept as secret as possible, the data passed in by the user in the initializeFollowModule function should be the passcode processed by keccak256, and the passcode provided by the user in the processFollow function needs to be processed by keccak256 and then compared with _passcodeByProfile[profileId].
mapping(uint256 => bytes) internal _passcodeByProfile;
// data should be passcode processed by keccak256
function initializeFollowModule(uint256 profileId, bytes calldata data)
external
override
onlyHub
returns (bytes memory)
{
_passcodeByProfile[profileId] = data;
return data;
}
function processFollow(
address follower,
uint256 profileId,
bytes calldata data
) external view override {
uint256 passcode = abi.decode(data, (uint256));
if (keccak256(abi.encodePacked(passcode)) != _passcodeByProfile[profileId]) revert PasscodeInvalid();
}
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L10-L23
Vulnerability details
Impact
When calling the initializeFollowModule function of the SecretCodeFollowModule contract, the passcode will be stored in _passcodeByProfile in plaintext, and the attacker can easily find the passcode from the polygon's transactions(or using the web3.eth.getStorageAt interface).
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L10-L23
Tools Used
None
Recommended Mitigation Steps
Considering that the passcode should be kept as secret as possible, the data passed in by the user in the initializeFollowModule function should be the passcode processed by keccak256, and the passcode provided by the user in the processFollow function needs to be processed by keccak256 and then compared with _passcodeByProfile[profileId].