search

code-423n4 / 2022-02-aave-lens-findings

0 stars 0 forks source link

SecretCodeFollowModule: processFollow should add onlyHub modifier #9

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L25-L32

Vulnerability details

Impact

Users can set followModule to SecretCodeFollowModule through the setFollowModule function to make other users have to provide passcode before they can become followers.

The processFollow function of the SecretCodeFollowModule contract is used to verify the passcode provided by the user. Since the processFollow function has no onlyHub modifier, and it is a view function, any user can verify whether the passcode is correct without gas consumption.

    function processFollow(
        address follower,
        uint256 profileId,
        bytes calldata data
    ) external view override {
        uint256 passcode = abi.decode(data, (uint256));
        if (passcode != _passcodeByProfile[profileId]) revert PasscodeInvalid();
    }

Proof of Concept

https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L25-L32

Tools Used

None

Recommended Mitigation Steps

Add the onlyHub modifier to the processFollow function of the SecretCodeFollowModule contract

oneski commented 2 years ago

per comments in the discord this contract is out of scope

0xleastwood commented 2 years ago

Out of scope asset, marking as invalid.