141345
commented
1 year ago seems expected behavior the owner can rent, can take back
Closed code423n4 closed 1 year ago
141345
commented
1 year ago seems expected behavior the owner can rent, can take back
donosonaumczuk
commented
1 year ago It works like this by design. Is up to the follower when to take the risk or not. We expect this to be used with NFTs held by contracts, so the contract can guarantee that the "removeFollower" will be executed only under certains conditions. For example, you are renting the follow state by a monthly suscription, so "removeFollower" is only executed if your suscription was not paid, etc.
c4-sponsor
commented
1 year ago donosonaumczuk marked the issue as sponsor disputed
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L311-L339
Vulnerability details
Impact
Users that follow another profile by entering an existing followNFT tokenId can be removed at anytime by address that possesses the token.
This is because _followWithWrappedToken does not burn the token to withdraw power from the address that holds the token
Proof of Concept
Protocol allows users to follow a profile by using an existing tokenId from a profile that has approved the caller to do so. The problem is that, the address that owns that token(in case the token is wrapped), can call
removeFollowerat anytime to remove that follower.For example,
removeFollowerto force Charles to unfollow BobTools Used
Manual Review
Recommended Mitigation Steps
Within _baseFollow function, if (!isOriginalFollow), burn that tokenId. This will withdraw
removeFollowerpower from the former token holder whenever a new profile registers with that token.Assessed type
Access Control