Users can set followModule to SecretCodeFollowModule through the setFollowModule function to make other users have to provide passcode before they can become followers.
The processFollow function of the SecretCodeFollowModule contract is used to verify the passcode provided by the user. Since the processFollow function has no onlyHub modifier, and it is a view function, any user can verify whether the passcode is correct without gas consumption.
function processFollow(
address follower,
uint256 profileId,
bytes calldata data
) external view override {
uint256 passcode = abi.decode(data, (uint256));
if (passcode != _passcodeByProfile[profileId]) revert PasscodeInvalid();
}
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L25-L32
Vulnerability details
Impact
Users can set followModule to SecretCodeFollowModule through the setFollowModule function to make other users have to provide passcode before they can become followers.
The processFollow function of the SecretCodeFollowModule contract is used to verify the passcode provided by the user. Since the processFollow function has no onlyHub modifier, and it is a view function, any user can verify whether the passcode is correct without gas consumption.
Proof of Concept
https://github.com/code-423n4/2022-02-aave-lens/blob/main/contracts/core/modules/follow/SecretCodeFollowModule.sol#L25-L32
Tools Used
None
Recommended Mitigation Steps
Add the onlyHub modifier to the processFollow function of the SecretCodeFollowModule contract