141345
commented
1 year ago lack detailed impact/loss
QA might be more appropriate.
Closed code423n4 closed 1 year ago
141345
commented
1 year ago lack detailed impact/loss
QA might be more appropriate.
donosonaumczuk
commented
1 year ago You can only have the profileIdAllowedToRecover set if you unfollow on Lens V2 using an unwrapped token, but those follows are already V2 follows (either V1 migrated to V2, or fresh V2 follows)
c4-sponsor
commented
1 year ago donosonaumczuk marked the issue as sponsor disputed
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L394 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L480
Vulnerability details
Impact
In FollowNFT.sol, when calling tryMigrate(), the state at the end should be the same when you call _baseFollow() and fresh follow the owner of the collection. However, profileIdAllowedToRecover is not handled inside of tryMigrate() and it should be deleted as it's in the case of _baseFollow().
Proof of Concept
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L394 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L480
Tools Used
Manual review.
Recommended Mitigation Steps
Add the following line to tryMigrate():
delete _followDataByFollowTokenId[followTokenId].profileIdAllowedToRecover;
Assessed type
Other