Closed code423n4 closed 2 years ago
Invalid, this is intended behavior and is even present in tests, it's up to the follow module to dictate these dynamics.
I'll defer this to #35 for now and mark as invalid
.
I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38
Vulnerability details
Impact
In InteractionLogic.sol the follow() function follows a given profile and then mints the follow NFT's to the follower. There are currently no guards against following the same profiles over and over again with the follower receiving multiple follow NFT's. This is similar to someone being able to manipulate their followers on a typical social media app and this should not be permitted since in this case it can lead to the protocol being manipulated.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38
Tools Used
Manual code review
Recommended Mitigation Steps
Add logic that reverts when a user tries to follow profiles that they already follow.