Closed code423n4 closed 2 years ago
Invalid. You are not supposed to be able to set the collect module as the zero address anyway since it interferes with logic for determining parent and child content (mirrors don't have collect modules).
I agree, I don't see why the collect module would be set to the zero address.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L299-L316
Vulnerability details
Impact
When a user creates a publication, _initPubCollectModule is used to initialize CollectModule, but when collectModule is 0, subsequent calls to initializePublicationCollectModule for 0 address will fail even if the 0 address is in _collectModuleWhitelisted.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/libraries/PublishingLogic.sol#L299-L316
Tools Used
None
Recommended Mitigation Steps