Open code423n4 opened 2 years ago
With respect to collecting from deleted profiles, we really leave this up to the UIs. The only "break" that occurs from deleted profiles and collecting is when attempting to collect from the mirror of a deleted profile, in which case user interfaces have the option to direct the transaction directly towards collecting the mirrored publication.
State changing functions in the library are a remediation to code size concerns, the MIT license is a leftover from the modified Pausable
contract, good catch! I believe the rest to be invalid.
8 Low issue identified as depicted below:
Zero address checks missing on setting Governance
Remediation: Change the _setGovernance like below:
Old users are not impacted on changing Follow module
Remediation: If followModule is changed using setFollowModule then new followModule should run on existing followers
Publication/Comment/Mirror can be collected for deleted profile
Remediation: Similar to follow function, implement checks in comment, publication, mirror creation to see if target profile exists/active
Stack too deep checks missing
Remediation: Change all collect module treasury fees calculation to below (Like change LimitedTimedFeeCollectModule.sol#L159 to below):
Incorrect implementation of _setTreasuryFee
Remediation: Change the formula to:
Multiple NFT can have same symbol
Remediation:
Incorrect License specified
Remediation: Remove MIT license and add AGPL-3.0-only. Modify LensMultiState.sol#L1 to below:
Contract State should not change in Library
Remediation: Move all state changing functions to a contract