Open code423n4 opened 2 years ago
Various duplicates, we are not acting on any of this except the comment, which is a good point. On the point of input validation, this is true but the constructors and the LensHub initializer, being part of the initial setup, are within the trust assumptions (just like governance being a legitimate timelock controlled by a multisig etc)
LensHub constructor lack input validation
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L57 Recommended to add check to make sure addresses supplied is not address(0)
CollectNFT constructor lack input validation
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/CollectNFT.sol#L29 Recommended to add check to make sure addresses supplied is not address(0)
FollowNFT constructor lack input validation
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/FollowNFT.sol#L48 Recommended to add check to make sure addresses supplied is not address(0)
Interdependency of LensHub and CollectNFT/FollowNFT construction
CollectNFT/FollowNFT require the address of LensHub in the constructor, while LensHub require the address of CollectNFT and FollowNFT. While we can use a pre-computed address, it might be better to call the initializer from LensHub to set everything at once.
LensHub.initialize lack input validation
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L63 Recommended to add check to make sure newGovernance is not address(0)
Add comment to explain why ++pubCount is not used
The way
_createComment
coded is likely to prevent comment loop so pubCount is incremented afterPublishingLogic.createComment
. It looks a bit werid since other function use ++pubCount instead. Recommed to add soe comment here for future reference. https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L878Implement 2 steps governance transfer in LensHub
To reduce risk of failed governance transfer, use a 2 steps process that require the new governance's interaction. https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/LensHub.sol#L78
Implement 2 steps governance transfer in ModuleGlobals
To reduce risk of failed governance transfer, use a 2 steps process that require the new governance's interaction. https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/ModuleGlobals.sol#L50