Open code423n4 opened 2 years ago
this is by design. a more sophisticated module could implement non-transferable behavior or allow transfer only to approved addresses.
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them.
Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them.
Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them. Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
Yeah although it's valid enough, this is just how the module works.
IMO, this is a valid issue. If we want to strictly adhere to the whitelist, we should not allow whitelisted addresses to transfer NFTs to non-whitelisted addresses. This limits the formation of a secondary markets where users can bypass whitelist restrictions.
Unfortunately transferrability is the in the nature of the protocol. The module's purpose is not to limit follows to only whitelisted wallets (as this is impossible to guarantee in case follow NFTs existed previously, though one could use the validation function etc). Rather, the goal of this module is simply to only allow whitelisted users to mint follow NFTs, what they do with them is up to them. Due to the confusing nature of the module, I would not dispute this but I would still disagree that it's a medium severity issue, I would mark it as low.
So if I'm understanding this correctly, whitelisted users who mint follow NFTs are free to do whatever with those, whether they sell them to other parties or give them away. It's completely up to them?
If that's the case, I'll agree and mark this as QA.
Yeah although it's valid enough, this is just how the module works.
Okay, QA it is good ser
Per conversation with the judge ( @0xleastwood ), confirmed this issue is categorized as low risk.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/follow/FollowValidatorFollowModuleBase.sol#L23-L38
Vulnerability details
Per the comment in
ApprovalFollowModule
, it aims to create a whitelist system:However, the current implementation only validates if
_approvedByProfileByOwner
when minting a newfollowNFT
. But since thefollow
relationship is verified by thefollowNFT
and thefollowNFT
can be transferred to an arbitrary address.As a result, a non-whitelisted address can bypass the whitelist by buying the
followNFT
from a whitelisted address.The
followModuleTransferHook
can be used for blocking transfers to unapproved addresses.https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/follow/FollowValidatorFollowModuleBase.sol#L23-L38
PoC
Alice created a private club and selected
ApprovalFollowModule
with 100 addresses of founding members and wanted to publish publications that can only be collected by those addresses;Bob as founding members of Alice's private club, decides to sell his membership to Charlie by transfering the
followNFT
to Charlie, Charlie's address has never be approved by Alice, but he is now afollower
in Alice's private club.Recommendation
Change to: