processBlock() function forcibly wrapping a follow NFT could lock it without the owner's consent

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L196-L208

Vulnerability details

Impact

It locks the NFT against the owner's wishes.

Proof of Concept

processBlock is called by the LensHub when a profile is blocked It first checks if the follow NFT is wrapped using _isFollowTokenWrapped If not wrapped, it forces wrapping by minting to the owner Then unlinks the follow The problem is that the owner may have intentionally kept the follow NFT unwrapped.

For example:

Alice chooses to keep her Follow NFT for Bob unwrapped. Later, Bob blocks Alice. The LensHub calls processBlock on Alice's Follow NFT. processBlock forcibly wraps Alice's unwrapped Follow NFT for Bob before unlinking. Now Alice's Follow NFT is wrapped without her consent.

Tools Used

Recommended Mitigation Steps

A recommended approach would be for processBlock to Check if the Follow NFT is wrapped. If unwrapped, emit an event telling the owner to manually wrap then Unlink the follow

Assessed type

Other

[141345]

seems seems expected behavior.

The severity should not be high.

[vicnaum]

This is the expected behaviour, allowing the Blocked user to at least save the Follow NFT in their wallet, as it has to be unfollowed. There is no risk involved, and there is no possibility to hold an unwrapped NFT without a follow.

[c4-sponsor]

vicnaum marked the issue as sponsor disputed

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid