The lack of ownership check in the unwrap() function creates a vulnerability where anyone can unwrap and steal a follow NFT.
The unwrap() function burns the follow NFT to unwrap it
Attacker calls unwrap(followTokenId) on someone else's wrapped follow NFT
The unwrap() code does not verify msg.sender owns the associated profile
It only checks _followData to see if a follow exists
So it succeeds and burns/deletes the NFT even though msg.sender doesn't own it
This effectively steals the NFT from its rightful owner
This means:
Eve could call unwrap() on a follow NFT owned by Alice
The follow NFT gets burned
Now Eve has effectively stolen Alice's follow
Eve has unwrapped and taken ownership of a follow NFT she does not own.
Tools Used
Manual
Recommended Mitigation Steps
unwrap() should verify msg.sender owns the associated profile NFT before burning:
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L188-L193
Vulnerability details
Impact
Proof of Concept
The lack of ownership check in the unwrap() function creates a vulnerability where anyone can unwrap and steal a follow NFT. The unwrap() function burns the follow NFT to unwrap it
Attacker calls unwrap(followTokenId) on someone else's wrapped follow NFT The unwrap() code does not verify msg.sender owns the associated profile It only checks _followData to see if a follow exists So it succeeds and burns/deletes the NFT even though msg.sender doesn't own it This effectively steals the NFT from its rightful owner
This means: Eve could call unwrap() on a follow NFT owned by Alice The follow NFT gets burned Now Eve has effectively stolen Alice's follow Eve has unwrapped and taken ownership of a follow NFT she does not own.
Tools Used
Manual
Recommended Mitigation Steps
unwrap() should verify msg.sender owns the associated profile NFT before burning:
Assessed type
Other