Closed code423n4 closed 2 years ago
This is only an issue when a profile is deleted (burned), in which case UIs have multiple choices:
I don't think this adds any risk to the protocol and although it's valid, we will not be taking any action.
This is a duplicate of #67
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/collect/FeeCollectModule.sol#L139-L177
Vulnerability details
Impact
In the *FeeCollectModule contract, the recipient of the fee is specified by the user when the post is created, that is, even if the profileNFT is transferred or destroyed, the fee will still be sent to the address specified by the user when the post is created.
When collecting the mirror, the receiver of the referralFee is the owner of the referrer's profileNFT, that is, the referralFee will be sent to different addresses along with the transfer of the referrer's profileNFT.
When profileNFT is destroyed, require(owner != address(0) in the ownerOf function will fail, resulting in DOS.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/base/ERC721Time.sol#L365-L377
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/base/ERC721Time.sol#L84-L88
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/collect/FeeCollectModule.sol#L139-L177
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/collect/LimitedFeeCollectModule.sol#L157-L195
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/collect/LimitedTimedFeeCollectModule.sol#L168-L206
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/collect/TimedFeeCollectModule.sol#L153-L191
Tools Used
None
Recommended Mitigation Steps
Specify referralRecipient when creating the mirror or check if the referrer's profileNFT is destroyed when collecting the mirror