search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

Possible XSS and spamming possible #33

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/base/ERC721Time.sol#L390

Vulnerability details

Impact

Attacker can create thousand profile with post containing malicious content say as contentURI. Now Attacker simply transfer all these thousand profiles to victim using transfer function in ERC721Time.sol#L390

Proof of Concept

  1. Attacker creates 1000+ profiles using createProfile at LensHub.sol#L142
  2. After creating these profiles, simply create posts on these 1000+ profiles with contentURI as
  3. Attacker simply transfers all these 1000+ profiles to Victim
  4. Now once Victim connects to app built on Aave lens, victim will observe all those 1000+ profile which spams his home screen
  5. Also if Victim clicks on any of these profile and ui does not handle xss payload successfully then malicious code in contentURI gets executed

Recommended Mitigation Steps

User should not be allowed to transfer there profile to another user

oneski commented 2 years ago

decline, profileNFTs are designed to be transfered. XSS attacks should be resolved at the FE level not by the contracts. Create Profile is controlled by an Allowlist controlled by governance. Ideally governance should only allow minting contracts that have spam protection.

0xleastwood commented 2 years ago

You can't realistically implement this on a smart contract level. I agree with the sponsor that this should be resolved at the front-end level.