search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

Multiple `followNFT` mint #48

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/libraries/InteractionLogic.sol#L47

Vulnerability details

Impact

The logic of follow allow to follow the same profileIds and mint multiple followNFT.

Proof of Concept

Nothing prevent to send the same profileId duplicate inside the array, and mint in one request multiple followNFT in InteractionLogic.sol#L47

Recommended Mitigation Steps

Check if the user already follow the profileId

oneski commented 2 years ago

as designed. multiple follows are valid.

0xleastwood commented 2 years ago

I think this is a similar issue outlined in #35 which I will defer for now until I discuss with the sponsor. However, I'll mark this as invalid for now.

0xleastwood commented 2 years ago

I think this is easily sidestepped by using multiple EOAs, this is addressed in #35