search

code-423n4 / 2023-07-lens-findings

0 stars 0 forks source link

A single profile can follow multiple times by utilizing FollowNFT#tryMigrate #117

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L480-L520

Vulnerability details

Impact

A user can follow multiple times, specifically by first following through LensHub#follow, which then calls FollowNFT#follow. After that, the user can call LensV2Migration#batchMigrateFollows if they had a pre-upgrade followNFT. Furthermore, they can repeat this process as many times as they have pre-upgrade NFTs accessible to them.

Proof of Concept

The FollowNFT#tryMigrate function does not verify if the profileId being migrated is already following.

A malicious user with a pre-upgrade FollowNFT can exploit this by first calling FollowNFT#follow through LensHub and then proceeding to migrate their FollowNFT.

As a result, this leads to double following, and in a scenario where everyone follows this pattern, a profile will end up with twice as many followers as it should have. However, these followers will only be backed by half the number of unique profiles due to the duplication.

Tools Used

Manual Review

Recommended Mitigation Steps

Ensure that the followerProfileId in FollowNFT#tryMigrate is not following already. A similar check used in follow function can be used here:

if (_followTokenIdByFollowerProfileId[followerProfileId] != 0) {
    revert AlreadyFollowing();
}

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #146

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory