User can follow a ProfileId via LensHub.follow. If the Profile sets followModule, then FeeFollowModule.processFollow will be called to collect fees from the caller. If the currency is GUSD, the treasuryAmount may be 0 due to rounding down, then the protocol will not receive the fee and suffer fund loss.
Proof of Concept
Let's look at the code of FeeFollowModule.processFollow.
According to the formula of L82, treasuryAmount = (900 * 10) / 10000 = 0. In this way, the treasury will never receive such a fee. Imagine that if targetProfileId is owned by a big name, who has so many fans. One fan will transfer $0.09 to treasury, and 100 million fans will transfer $900M to treasury. In this case, the protocol's loss is huge.
MultirecipientFeeCollectModule/BaseFeeCollectModule also has this issue. It has been marked in Links to affected code, so skip it here.
Tools Used
Manual Review
Recommended Mitigation Steps
Do not add tokens with decimals less than 6 to the whitelist.
The recommendation "Do not add tokens with decimals less than 6 to the whitelist" is part of the assumptions listed in the README. Governance will whitelist tokens that make sense for the protocol.
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/follow/FeeFollowModule.sol#L82 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/act/collect/MultirecipientFeeCollectModule.sol#L185 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/act/collect/base/BaseFeeCollectModule.sol#L190 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/act/collect/base/BaseFeeCollectModule.sol#L219 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/act/collect/base/BaseFeeCollectModule.sol#L274
Vulnerability details
Impact
User can follow a ProfileId via LensHub.follow. If the Profile sets followModule, then FeeFollowModule.processFollow will be called to collect fees from the caller. If the currency is GUSD, the treasuryAmount may be 0 due to rounding down, then the protocol will not receive the fee and suffer fund loss.
Proof of Concept
Let's look at the code of
FeeFollowModule.processFollow
.The assumptions are as follows:
According to the formula of L82,
treasuryAmount = (900 * 10) / 10000 = 0
. In this way, the treasury will never receive such a fee. Imagine that if targetProfileId is owned by a big name, who has so many fans. One fan will transfer$0.09
to treasury, and 100 million fans will transfer $900M to treasury. In this case, the protocol's loss is huge.MultirecipientFeeCollectModule/BaseFeeCollectModule also has this issue. It has been marked in Links to affected code, so skip it here.
Tools Used
Manual Review
Recommended Mitigation Steps
Do not add tokens with decimals less than 6 to the whitelist.
Assessed type
Decimal