Users can burn follow token without unfollow

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/base/LensBaseERC721.sol#L264-L269 https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L255-L258

Vulnerability details

Impact

Lack of access control in this function can lead to users burning their tokens without updating related mappings. For example in the FollowNFT.sol contract, burn() function will call _unfollowIfHasFollower() function first, and then burn token. but even users can burn with public function in LensBaseERC721 contract.

Proof of Concept

• Bob wants to burn his tokens, but he calls the burn() function in the LensBaseERC721.sol contract
• However, he should call burn() function in FollowNFT.sol contract because needs to update related mappings (unfollow process)
• As a result, Bob burned his follow token but doesn't unfollow, So Bob still follower based on mappings status but even he burned his token.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider modifier for burn() function in LensBaseERC721.sol contract.

Assessed type

Other

[donosonaumczuk]

The burn function at Follow NFT overrides the one at LensBaseERC721.

    function burn(uint256 followTokenId) public override {
        _unfollowIfHasFollower(followTokenId);
        super.burn(followTokenId);
    }

So the described above does not apply.

[c4-sponsor]

donosonaumczuk marked the issue as sponsor disputed

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid