Zer0dot
commented
2 years ago Invalid, this is intended behavior and is even present in tests, it's up to the follow module to dictate these dynamics.
Closed code423n4 closed 2 years ago
Zer0dot
commented
2 years ago Invalid, this is intended behavior and is even present in tests, it's up to the follow module to dictate these dynamics.
0xleastwood
commented
2 years ago I'll defer this to #35 for now and mark as invalid.
0xleastwood
commented
2 years ago I think this is easily sidestepped by using multiple EOAs, this is addressed in https://github.com/code-423n4/2022-02-aave-lens-findings/issues/35
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38
Vulnerability details
Impact
In InteractionLogic.sol the follow() function follows a given profile and then mints the follow NFT's to the follower. There are currently no guards against following the same profiles over and over again with the follower receiving multiple follow NFT's. This is similar to someone being able to manipulate their followers on a typical social media app and this should not be permitted since in this case it can lead to the protocol being manipulated.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/InteractionLogic.sol#L38
Tools Used
Manual code review
Recommended Mitigation Steps
Add logic that reverts when a user tries to follow profiles that they already follow.