search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

Higher DAO power + Fake Follower #34

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38-L83

Vulnerability details

Impact

There are 2 implications of this issue:

  1. User A can follow User B repeatedly (say 1000 times) gaining him multiple follow NFT from User B. This becomes problem if User B has created a voting strategy like "The first 1000 follows have one vote each". So in this case User A gets 1000 votes which is incorrect (https://docs.lens.dev/docs/follow)

  2. User A can create a profile and keep following his own profile 10000+ times. Now other Users will see User A profile as a popular profile having 10000 followers and would want to follow User A (which cost money - fee follow module)

Proof of Concept

Higher DAO Power:

  1. User B created a voting strategy where "The first 1000 follows have one vote each" as depicted in https://docs.lens.dev/docs/follow

  2. User A can follow User B repeatedly (say 1000 times) gaining him multiple follow NFT from User B.

  3. User A gets all 1000 votes

Fake follower:

  1. User A creates a new profile with address 0 as Follow Module
  2. User A calls the follow function at InteractionLogic.sol#L38
  3. User A repeats step 2 10000 times
  4. This provides User A with 10000 follow nft of User A profile
  5. User A now simply change the follow module to fee follow module using setFollowModule at LensHub.sol#L160
  6. User B is trying to find popular profiles where he ends up seeing User A profile with 10000+ followers
  7. User B is impressed and follow User A which cost him fees
  8. Similar to User B other user also discover User A profile and follows him because of those initial fake follows

Recommended Mitigation Steps

Add below check in follow function:

if (IERC721(followNFT).balanceOf(follower) > 0) 
revert Errors.FollowInvalid();

require(_profileById[profileId].to!=follower, "cannot follow self");
Zer0dot commented 2 years ago

Invalid. Multiple follows are intended, there are modules that can prevent this but even checking balance would make no difference as making multiple wallets is trivial.

0xleastwood commented 2 years ago

Deferring to #35 for now and will mark as invalid for now.

0xleastwood commented 2 years ago

I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35