oneski
commented
2 years ago decline, this functionality is as designed.
User A by setting referral fees understands that their per Publication fees are minus the referral rate. Additional collect modules can be built blocking bad referral behavior .
0xleastwood
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L247
Vulnerability details
Impact
User will pay lesser Collect Module fees and the difference will be borne by Publication owner. This way Publication owner will always be on loss
Attacker can also make this a business in which he can collect victim nft at discounted price and then sell that NFT to other users using transfer function
Proof of Concept
User A create a new post publication using createPost in PublishingLogic.sol#L122
User B wants to collect the post publication by User A. He call collect function on InteractionLogic.sol#L97
Collect function will call processCollect on Collect Module and asks User B for fees X (Treasury fees + User A fees)
User B does not approve and transaction fails
Now to reduce this fees X, User B simply creates a mirror for User A publication using createMirror function at PublishingLogic.sol#L247
A new mirror gets created pointing to User A publication and owned by User B
User B simply call collect function on InteractionLogic.sol#L97
This time again processCollect on Collect Module is ran but since the call is coming from mirror, a referral fees is calculated for mirror owner
In our case mirror owner is User B so final fees becomes ((Treasury fees + User B referral fees + (User A fees -User B referral fees) )
So In this case User B gets a discount of User B referral fees and User A incur that lose
Recommended Mitigation Steps
User should not be allowed to collect using a mirror owned by his own profile. Although there is a bypass in which User can create mirror to victim publication from one wallet and user other wallet to make the collect