Closed code423n4 closed 2 years ago
invalid. Follow NFT and Collect NFT clones are initialized atomically, the hub is initialized atomically via upgradeToAndCall
or the proxy constructor and implementations cannot be initialized.
Agree, these contracts are initialised atomically upon deployment.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/FollowNFT.sol#L53 https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/CollectNFT.sol#L34 https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L63
Vulnerability details
Impact
In FollowNFT.sol the initialized() function can only be called once setting the _profileId in storage. This function can be called by an attacker monitoring the blockchain byte code and using a higher gas fee before the protocol has a chance to call it. This is also the case for several initialize() functions throughout the code base linked below.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/FollowNFT.sol#L53
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/CollectNFT.sol#L34
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L63
Tools Used
Manual code review
Recommended Mitigation Steps
The Initialize() function should be called in a deployment script or in a way where an attacker cannot call it first before the protocol is able to do so.