oneski
commented
2 years ago Duplicate. Decline. Following multiple times is be design. Follow Modules can be created that prohibit this behavior but the base contracts should not limit it.
Closed code423n4 closed 2 years ago
oneski
commented
2 years ago Duplicate. Decline. Following multiple times is be design. Follow Modules can be created that prohibit this behavior but the base contracts should not limit it.
0xleastwood
commented
2 years ago Deferring to #35 before I make a decision but I'll mark as invalid in the meantime.
0xleastwood
commented
2 years ago I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/libraries/InteractionLogic.sol#L38
Vulnerability details
Impact
The
InteractionLogic.followfunction does not check that theprofileIdsarray is unique. One can follow the same profile several times and boost the follower count. Boosting follower counts is already an issue in traditional social media.Note that the
FollowNFTs are also used for voting making this a high severity issue as it breaks the voting functionality if anyone can mint as many tokens as they want (at least for follow modules that do not require a fee payment).Recommended Mitigation Steps
Ensure that the caller does not already follow the profile ID in follows and the
profileIdsarray is unique.