Closed code423n4 closed 2 years ago
as designed. Front Ends can implement this behavior as can more advanced follow modules, however the protocol shouldn't take an opinion on this or limit functionality.
I don't think this is overly consistent with current social networks. But I can see why it could be important to allow users to block others. However, this could be sidestepped by using another EOA.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/FollowNFT.sol
Vulnerability details
Impact
Currently there is no way to remove follower except if the follower "unfollow" themselves by burning the FollowNFT. One might want to block/remove existing follower due to various reason such as comment spam and other unwanted behavior. Follower can potentially cause denial of service (in the frontend) by creating large amount of comments.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/FollowNFT.sol
Recommended Mitigation Steps
Allow profile owner to burn any FollowNFT. Alternatively, allow FollowNFT governance to burn any FollowNFT.