Closed code423n4 closed 1 year ago
This haven't been tested yet, this modules contracts are out of scope, specified in the provided documentation. We kept them in the repo for context, so wardens can understand how the flows work with proper examples.
We appreciate the finding.
donosonaumczuk marked the issue as sponsor disputed
Picodes marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/modules/act/seadrop/SeaDropMintPublicationAction.sol#L231-L232
Vulnerability details
Impact
LensHub.act is used to perform the specified action on the specified publication, which must be the action enabled by the publication when it was created. The
publicationActionParams
parameter ofLensHub.act
is the PublicationActionParams structure, which is passed by the caller. A publication enables SeaDropMintPublicationAction, and the caller can execute this action viaLensHub.act
. IfPublicationActionParams.referrerProfileIds
set by caller is an empty array, tx will revert due to division by zero. SettingreferrerProfileIds
to empty is not a malicious input, but a normal business scenario.Proof of Concept
The flow of executing SeaDropMintPublicationAction via
LensHub.act
is as follows::SeaDropMintPublicationAction.processPublicationAction internally transfers the wmatic required by minting nft from the caller, mints nft to actorProfileOwner, and finally distributes fees according to whether expectedFees is greater than 0. Let's look at the code snippet of
_distributeFees
:As mentioned above, only if
PublicationActionParams.referrerProfileIds
is not empty, the action can be successfully executed. This obviously does not conform to the design.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Math