code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-lens/blob/cdef6ebc6266c44c7068bc1c4c04e12bf0d67ead/contracts/FollowNFT.sol#L48-L56

Vulnerability details

Impact

initialize() function in the FollowNFT.sol contract is external and everyone can call this function. comment in the code says: "This is called right after deployment by the LensHub, so we can skip the onlyHub check." But in this scenario, attacker can call this function first with a higher gas fee and it can lead to manipulating initialize() function of contract, and because _initialized state sets to true, there is no chance to call this function again.

Proof of Concept

malicious user listens to mempool
he sees a transaction that calls initialize() function
he calls initialize() function with the higher gas fee
as a result attacker transaction is done first and he can manipulate function data easily
_initialized state sets to true, So there is no chance for calling this function again

Tools Used

Manual Review

Recommended Mitigation Steps

Consider access control so no one is able to call

Assessed type

Access Control

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #151

Picodes commented 1 year ago

Out of Scope with the automated findings

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Out of scope

code-423n4 / 2023-07-lens-findings

initialize() function can manipulated by attacker #182