search

code-423n4 / 2023-07-lens-findings

0 stars 0 forks source link

Cannot unfollow a profile without having access to the Follow NFT #153

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L115-L125

Vulnerability details

Impact

In scenarios where a user fails to unfollow a profile before selling his follow NFT, he could forever be unable to unfollow the profile.

Proof of Concept

A user could sell his follow NFT without unfollowing a profile. If the new owner of the follow NFT doesn't set the user as the operator or doesn't remove the current user from being a follower, the user will forever be unable to unfollow the profile.

An example scenario would be:

  1. Follow NFT's of a particular profile gains monetary value and is being sold at high prices.
  2. A user following the profile decides to wrap and sell his Follow NFT but fails to unfollow.
  3. The user develops a bad relationship with the profile
  4. He wants to unfollow but is unable to

Tools Used

Manual Review

Recommended Mitigation Steps

Allow a profile to unfollow even if the user is not the owner of the NFT.

Assessed type

Other

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #145

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

This previously downgraded issue has been upgraded by Picodes

c4-judge commented 1 year ago

Picodes marked the issue as not a duplicate

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #145