Open code423n4 opened 1 year ago
We were aware of this, we think for now the whitelist it's just to prevent creating new publications with the modules, but we allow to keep executing old publications with their old modules as a "backwards compatibility" thing.
We would dispute validity, but given we didn't add this as known issue, we can accept it but as QA/Low severity.
donosonaumczuk marked the issue as disagree with severity
The reason about "backwards compatibility" makes sense. I'll downgrade this to QA.
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ActionLib.sol#L28-L38 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/PublicationLib.sol#L318-L321
Vulnerability details
Bug Description
In the
LensHub
contract, action and reference modules can be whitelisted/un-whitelisted by governance usingwhitelistActionModule()
andwhitelistReferenceModule()
respectively.When publications are acted on using the
act()
function,ActionLib
validates that the chosen module was added to the publication being acted on:ActionLib.sol#L28-L38
However, the function does not check if
StorageLib.actionModuleWhitelistData()[actionModuleAddress].isWhitelisted
istrue
, which means that there is no check if the module is currently whitelisted. Therefore, if a module was previously whitelisted but subsequently removed from the whitelist by governance, it will still remain executable.Similarly, when publications with referrals are created (comment, mirror or quote), the following functions will call the reference module without validating that it is currently whitelisted:
_processCommentIfNeeded()
_processQuoteIfNeeded()
_processMirrorIfNeeded()
Therefore, as long as the pointed publication was initialized with a reference module, it can still be used for referrals even after being un-whitelisted.
Impact
Action and reference modules that have been removed from the whitelist by governance will still remain executable after being un-whitelisted.
This becomes an issue if governance ever needs to prevent users from executing a certain module (eg. module has a bug or turns malicious), as they have no way of doing so.
Proof of Concept
The Foundry code below contains two tests:
testActionModuleStillExecutableWhenUnwhitelisted()
demonstrates how action modules can still be executed throughact()
after being removed from the whitelist usingwhitelistActionModule()
.testReferenceModuleStillExecutableWhenUnwhitelisted()
shows that reference modules can still be used after being un-whitelisted usingwhitelistReferenceModule()
.Recommended Mitigation
Consider ensuring that the action/reference module is whitelisted before executing it:
ActionLib.sol#L28-L38
PublicationLib.sol#L318-L321
Assessed type
Invalid Validation