Closed code423n4 closed 2 years ago
First one is invalid, second one is an edge case that is not worth the gas of validating in my opinion, unless I am missing a vulnerability @donosonaumczuk @miguelmtzinf if you have feedback.
~First one not only applies to emitFollowNFTTransferEvent
but also to emitCollectNFTTransferEvent
.~ Edit: first is invalid as Zer0dot said, we are requiring the caller to be the collect/follow NFT, not the owner.
I think the second one does not introduce any vulnerability, the only "issue" is that delegating yourself does not make sense semantically, but I agree that does not worth adding the restriction.
I'll side with the sponsors on this one, the suggestions seem unnecessary.
NFT owners can write to emit without actually doing a token conversion.
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L631-L640 NFT owners can directly call the LensHub.emitFollowNFTTransferEvent to write emit without actually doing a token conversion.
The _delegate function allows passing in the same delegator parameter value and delegatee parameter value.
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/FollowNFT.sol#L73-L75