c4-pre-sort
commented
1 year ago 141345 marked the issue as low quality report
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 141345 marked the issue as low quality report
141345
commented
1 year ago invalid
line 192, super.burn(followTokenId); check for ownership
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L188-L193
Vulnerability details
Impact
Proof of Concept
The lack of ownership check in the unwrap() function creates a vulnerability where anyone can unwrap and steal a follow NFT. The unwrap() function burns the follow NFT to unwrap it
Attacker calls unwrap(followTokenId) on someone else's wrapped follow NFT The unwrap() code does not verify msg.sender owns the associated profile It only checks _followData to see if a follow exists So it succeeds and burns/deletes the NFT even though msg.sender doesn't own it This effectively steals the NFT from its rightful owner
This means: Eve could call unwrap() on a follow NFT owned by Alice The follow NFT gets burned Now Eve has effectively stolen Alice's follow Eve has unwrapped and taken ownership of a follow NFT she does not own.
Tools Used
Manual
Recommended Mitigation Steps
unwrap() should verify msg.sender owns the associated profile NFT before burning:
Assessed type
Other