Closed code423n4 closed 2 years ago
decline, profileNFTs are designed to be transfered. XSS attacks should be resolved at the FE level not by the contracts. Create Profile is controlled by an Allowlist controlled by governance. Ideally governance should only allow minting contracts that have spam protection.
You can't realistically implement this on a smart contract level. I agree with the sponsor that this should be resolved at the front-end level.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/base/ERC721Time.sol#L390
Vulnerability details
Impact
Attacker can create thousand profile with post containing malicious content say as contentURI. Now Attacker simply transfer all these thousand profiles to victim using transfer function in ERC721Time.sol#L390
Proof of Concept
Recommended Mitigation Steps
User should not be allowed to transfer there profile to another user