code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/FollowNFT.sol#L53 https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/CollectNFT.sol#L34 https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L63

Vulnerability details

Impact

In FollowNFT.sol the initialized() function can only be called once setting the _profileId in storage. This function can be called by an attacker monitoring the blockchain byte code and using a higher gas fee before the protocol has a chance to call it. This is also the case for several initialize() functions throughout the code base linked below.

Proof of Concept

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/FollowNFT.sol#L53

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/CollectNFT.sol#L34

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/LensHub.sol#L63

Tools Used

Manual code review

Recommended Mitigation Steps

The Initialize() function should be called in a deployment script or in a way where an attacker cannot call it first before the protocol is able to do so.

Zer0dot commented 2 years ago

invalid. Follow NFT and Collect NFT clones are initialized atomically, the hub is initialized atomically via upgradeToAndCall or the proxy constructor and implementations cannot be initialized.

0xleastwood commented 2 years ago

Agree, these contracts are initialised atomically upon deployment.

code-423n4 / 2022-02-aave-lens-findings