Closed code423n4 closed 2 years ago
Declined, this is by design. Alternative collect modules can include additional logic to prevent this behavior.
I think I can mostly agree that it doesn't seem likely a user would call collect()
more than once (it can be easily side-stepped by using multiple EOAs). However, is there any reason why this isn't enforced in this specific module? Is it meant to act as a reference implementation to be built upon? @oneski
I think I can mostly agree that it doesn't seem likely a user would call
collect()
more than once (it can be easily side-stepped by using multiple EOAs). However, is there any reason why this isn't enforced in this specific module? Is it meant to act as a reference implementation to be built upon? @oneski
So the idea is that the fee is the anti-spam mechanism here. If a user wants to pay for 10 collects, they should be allowed to. Plus, as you mentioned limiting on a per-wallet basis isn't really ideal!
I agree with the sponsor, not really an easy fix to this and I think alternative logic can be added down the line.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L97
Vulnerability details
Impact
By mistake user can collect same publication twice costing user monetary losses (collect fees)
Attacker can exhaust collect limit (LimitedTimedFeeCollectModule.sol) which is set on a publication by collecting same publication again and again until collect limit is exhausted. This gives unfair chance to other users
User can set a collect limit and collect his own publication near to collect limit. Other users will think to buy this fast selling publication
Proof of Concept
Case 1:
Case 2:
Recommended Mitigation Steps
If user has already collected a publication then collect function should revert