Open code423n4 opened 1 year ago
Picodes marked the issue as grade-a
Picodes marked the issue as selected for report
For the report:
L-10: can be changed to NC as discussed here https://github.com/code-423n4/2023-07-lens-findings/issues/166. L-12: can be changed to NC in the absence of an example.
Note as well #138, #139 among downgraded findings.
Overall outstanding work!
For transparency, the sponsor has responded via outside communications with the following comments:
[L-05] It does not apply, it is a feature by design, not an issue at all, and no risk involved. [L-06] Does not make sense, you can always add checks for things that your business logic does not allow, but what is the point? A mirror cannot initialize a publication action, and that's part of the core business logic, so no extra checks needed. [N-06] That is perfectly fine and fair! This is not an issue.
[L-05] This is by design. Also "switching back to a previous config might potentially give the previous owner the ability to steal the profile" is invalid, as delegated executors have only rights over social operations (e.g. post, comment, follow, etc) but not over asset operations (e.g. approve, transferFrom, etc)
[L-06] Does not make sense, you can always add checks for things that your business logic does not allow, but what is the point? A mirror cannot initialize a publication action, and that's part of the core business logic, so no extra checks needed.
See the markdown file with the details of this report here.