The LensHub.sol functions setProfileMetadataURI(), setProfileMetadataURIWithSig(), setFollowModule(), setFollowModuleWithSig(), collect(), collectWithSig(), act(), actWithSig(), setProfileImageURI(), setProfileImageURIWithSig() and others use onlyProfileOwnerOrDelegatedExecutor modifiers and whenNotPaused. However, modifier checking can be bypassed by calling these functions directly in the libraries.
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L105 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L96 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L204 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L81
Vulnerability details
Impact
The LensHub.sol functions setProfileMetadataURI(), setProfileMetadataURIWithSig(), setFollowModule(), setFollowModuleWithSig(), collect(), collectWithSig(), act(), actWithSig(), setProfileImageURI(), setProfileImageURIWithSig() and others use onlyProfileOwnerOrDelegatedExecutor modifiers and whenNotPaused. However, modifier checking can be bypassed by calling these functions directly in the libraries.
Proof of Concept
Callable functions in libraries are external and do not check the calling address https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L105 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L96 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L204 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/ProfileLib.sol#L81 And others.
Tools Used
VSCode
Recommended Mitigation Steps
Check in libraries that they are called by the LensHub.sol contract
Assessed type
Access Control