Closed code423n4 closed 2 years ago
as designed. multiple follows are valid.
I think this is a similar issue outlined in #35 which I will defer for now until I discuss with the sponsor. However, I'll mark this as invalid
for now.
I think this is easily sidestepped by using multiple EOAs, this is addressed in #35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/libraries/InteractionLogic.sol#L47
Vulnerability details
Impact
The logic of follow allow to follow the same
profileIds
and mint multiplefollowNFT
.Proof of Concept
Nothing prevent to send the same
profileId
duplicate inside the array, andmint
in one request multiplefollowNFT
in InteractionLogic.sol#L47Recommended Mitigation Steps
Check if the user already follow the
profileId