Closed code423n4 closed 2 years ago
Invalid. Multiple follows are intended, there are modules that can prevent this but even checking balance would make no difference as making multiple wallets is trivial.
Deferring to #35 for now and will mark as invalid
for now.
I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38-L83
Vulnerability details
Impact
There are 2 implications of this issue:
User A can follow User B repeatedly (say 1000 times) gaining him multiple follow NFT from User B. This becomes problem if User B has created a voting strategy like "The first 1000 follows have one vote each". So in this case User A gets 1000 votes which is incorrect (https://docs.lens.dev/docs/follow)
User A can create a profile and keep following his own profile 10000+ times. Now other Users will see User A profile as a popular profile having 10000 followers and would want to follow User A (which cost money - fee follow module)
Proof of Concept
Higher DAO Power:
User B created a voting strategy where "The first 1000 follows have one vote each" as depicted in https://docs.lens.dev/docs/follow
User A can follow User B repeatedly (say 1000 times) gaining him multiple follow NFT from User B.
User A gets all 1000 votes
Fake follower:
Recommended Mitigation Steps
Add below check in follow function: