Closed code423n4 closed 2 years ago
Duplicate. Decline. Following multiple times is be design. Follow Modules can be created that prohibit this behavior but the base contracts should not limit it.
Deferring to #35 before I make a decision but I'll mark as invalid
in the meantime.
I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/libraries/InteractionLogic.sol#L38
Vulnerability details
Impact
The
InteractionLogic.follow
function does not check that theprofileIds
array is unique. One can follow the same profile several times and boost the follower count. Boosting follower counts is already an issue in traditional social media.Note that the
FollowNFT
s are also used for voting making this a high severity issue as it breaks the voting functionality if anyone can mint as many tokens as they want (at least for follow modules that do not require a fee payment).Recommended Mitigation Steps
Ensure that the caller does not already follow the profile ID in follows and the
profileIds
array is unique.