141345
commented
1 year ago seems expected behavior
just like some news channel, only used to post official info, no comments allowed
Closed code423n4 closed 1 year ago
141345
commented
1 year ago seems expected behavior
just like some news channel, only used to post official info, no comments allowed
vicnaum
commented
1 year ago onlyProfileOwnerOrDelegatedExecutor means that the address that is commenting owns the profile that they use for commenting. It has nothing to do with the post they comment on. The submission is invalid.
c4-sponsor
commented
1 year ago vicnaum marked the issue as sponsor disputed
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/LensHub.sol#L320
Vulnerability details
Impact
The lack of functionality restricts interaction and engagement between the profile owner and their followers or the users they follow. This limitation diminishes the platform's value, as users who are interested in a post or have a genuine reason to comment are prevented from doing so.
Proof of Concept
Currently, the protocol allows only the owner of a post and explicitly delegated executors to comment on the post. However, there is a lack of functionality that prevents followers and users being followed by the post owner from commenting on the post. As a result, users who are in the "follow" or "following" list of the post owner cannot comment on posts, limiting the engagement and interaction potential of the platform.
https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/LensHub.sol#L320C5-L342C1 function follow( uint256 followerProfileId, uint256[] calldata idsOfProfilesToFollow, uint256[] calldata followTokenIds, bytes[] calldata datas ) external override whenNotPaused onlyProfileOwnerOrDelegatedExecutor(msg.sender, followerProfileId) returns (uint256[] memory) { return FollowLib.follow({ followerProfileId: followerProfileId, idsOfProfilesToFollow: idsOfProfilesToFollow, followTokenIds: followTokenIds, followModuleDatas: datas, transactionExecutor: msg.sender }); }
Tools Used
Manual
Recommended Mitigation Steps
current functionality to allow followers and users being followed by the post owner to comment on the posts. This can be achieved by modifying the "onlyProfileOwnerOrDelegatedExecutor" modifier to incorporate additional logic that permits interaction for followers and the users they follow.
One possible approach is to add a new mapping or data structure that associates the profile owner's address with the list of users they follow (followees) and the users following them (followers). Then, update the modifier to verify whether the sender's address is either in the followers or followees list of the profile owner. If the condition is met, the comment functionality should be allowed.
Assessed type
Invalid Validation