search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

SecretCodeFollowModule: passcode should not be stored in _passcodeByProfile in clear text #11

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L10-L23

Vulnerability details

Impact

When calling the initializeFollowModule function of the SecretCodeFollowModule contract, the passcode will be stored in _passcodeByProfile in plaintext, and the attacker can easily find the passcode from the polygon's transactions(or using the web3.eth.getStorageAt interface).

Proof of Concept

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L10-L23

Tools Used

None

Recommended Mitigation Steps

Considering that the passcode should be kept as secret as possible, the data passed in by the user in the initializeFollowModule function should be the passcode processed by keccak256, and the passcode provided by the user in the processFollow function needs to be processed by keccak256 and then compared with _passcodeByProfile[profileId].

    mapping(uint256 => bytes) internal _passcodeByProfile;

   // data should be passcode processed by keccak256
   function initializeFollowModule(uint256 profileId, bytes calldata data)
       external
       override
       onlyHub
       returns (bytes memory)
   {
       _passcodeByProfile[profileId] = data;
       return data;
   }

   function processFollow(
       address follower,
       uint256 profileId,
       bytes calldata data
   ) external view override {
       uint256 passcode = abi.decode(data, (uint256));
       if (keccak256(abi.encodePacked(passcode)) != _passcodeByProfile[profileId]) revert PasscodeInvalid();
   }
oneski commented 2 years ago

per comments in the discord, this contract is out of scope.