Closed code423n4 closed 1 year ago
lack detailed impact/loss
QA might be more appropriate.
You can only have the profileIdAllowedToRecover
set if you unfollow on Lens V2 using an unwrapped token, but those follows are already V2 follows (either V1 migrated to V2, or fresh V2 follows)
donosonaumczuk marked the issue as sponsor disputed
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L394 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L480
Vulnerability details
Impact
In FollowNFT.sol, when calling tryMigrate(), the state at the end should be the same when you call _baseFollow() and fresh follow the owner of the collection. However, profileIdAllowedToRecover is not handled inside of tryMigrate() and it should be deleted as it's in the case of _baseFollow().
Proof of Concept
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L394 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/FollowNFT.sol#L480
Tools Used
Manual review.
Recommended Mitigation Steps
Add the following line to tryMigrate():
delete _followDataByFollowTokenId[followTokenId].profileIdAllowedToRecover;
Assessed type
Other