User can bombard a publication with spam comments

[code423n4]

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L182

Vulnerability details

Impact

Since there is no restriction time gap between multiple comments made by a user. User can use this to mass flood victim publication with spam comments. This will impact both Victim publication and comment writers on Victim publication

Proof of Concept

1. User A does not like User B publication or wanted to highlight his own publication

2. User A will simply use createComment function on PublishingLogic.sol#L182 to make spam comments on User B publication

3. Since there is no time gap restriction before which a new comment can be made, User A repeats Step 2 500+ times so that all genuine comments on User B publication gets below (assuming later ui will show comments based on block.timestamp)

4. So when User C wants to see comments on User B post, he would see first all spam post made by User A which will tire him to go below for genuine comments

5. This also makes loss for genuine comment writers on the publication as now users will rarely collect there comments

Recommended Mitigation Steps

1. Implement time gap between each comment made by users
2. User should not be allowed to make more than x comments over y minutes for same user x publication
3. Add a feature to report user to moderator

[oneski]

Declined, functionality is by design. Contracts should not take an opinion on what content is spam vs not spam.

Different FEs may implement time gaps, use different sorting algorithms, and have reporting functionality. This is a decision for each FE to make.

[0xleastwood]

I don't think this is something that can be easily handled on-chain. Users could create separate EOAs to bypass all the mitigations outlined by the warden. Marking as invalid as this is a front-end issue.