Closed code423n4 closed 2 years ago
Structure will be a timelock... per comment on https://github.com/code-423n4/2022-02-aave-lens-findings/issues/3... this is a recommendation not a bug.
Because governance is behind a timelock, fees cannot be changed retroactively.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/modules/ModuleGlobals.sol#L60
Vulnerability details
Impact
The
ModuleGlobals._treasuryFee
variable determines the fee percentage from a follow / collect module that goes to treasury and therefore also the percentage that goes to the content creator profile.This fee can be changed by the protocol admins and this change takes effect for all profiles. Profiles can be lured in with low fees which are then later changed up to
50%
. The contracts between Aave Lens and the creators can essentially be changed at any time.Recommended Mitigation Steps
Consider not retroactively applying the fee to existing profiles, only for new ones. Upon profile creation store the current fee for this profile.