Closed code423n4 closed 2 years ago
Declined, functionality is by design. Contracts should not take an opinion on what content is spam vs not spam.
Different FEs may implement time gaps, use different sorting algorithms, and have reporting functionality. This is a decision for each FE to make.
I don't think this is something that can be easily handled on-chain. Users could create separate EOAs to bypass all the mitigations outlined by the warden. Marking as invalid
as this is a front-end issue.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L182
Vulnerability details
Impact
Since there is no restriction time gap between multiple comments made by a user. User can use this to mass flood victim publication with spam comments. This will impact both Victim publication and comment writers on Victim publication
Proof of Concept
User A does not like User B publication or wanted to highlight his own publication
User A will simply use createComment function on PublishingLogic.sol#L182 to make spam comments on User B publication
Since there is no time gap restriction before which a new comment can be made, User A repeats Step 2 500+ times so that all genuine comments on User B publication gets below (assuming later ui will show comments based on block.timestamp)
So when User C wants to see comments on User B post, he would see first all spam post made by User A which will tire him to go below for genuine comments
This also makes loss for genuine comment writers on the publication as now users will rarely collect there comments
Recommended Mitigation Steps