Open code423n4 opened 2 years ago
This is valid! However, here's what I commented on #14 :
"This is only an issue when a profile is deleted (burned), in which case UIs have multiple choices:
1. Stop displaying all the burnt profile's publications
2. Redirect users, when collecting mirrors, to the original publication
3. Prevent all collects
I don't think this adds any risk to the protocol and although it's valid, we will not be taking any action."
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/collect/FeeCollectModule.sol#L163-L172
Vulnerability details
In the current implementation, even when the profile's owner burnt the
ProfileNFT
, as the profile's legacy, the publications can still be collected.However, if the publication is a
Mirror
and there is areferralFee
set by the original publication, the user won't be able to collect from aMirror
that was published by a burned profile.https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/collect/FeeCollectModule.sol#L163-L172
In
_processCollectWithReferral()
, if there is areferralFee
, contract will readreferralRecipient
fromIERC721(HUB).ownerOf(referrerProfileId)
, ifreferrerProfileId
is burned, theIERC721(HUB).ownerOf(referrerProfileId)
will revert withERC721: owner query for nonexistent token
.However, since we wish to allow the content to be collected, we should just treat referrals as non-existent in this situation.
Recommendation
Change to: