Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-LENS-FINDINGS-ISSUES-148
HistoryJul 31, 2023 - 12:00 a.m.

Identifying publications using its ID makes the protocol vulnerable to blockchain re-orgs

2023-07-3100:00:00
Code4rena
github.com
1
blockchain re-org vulnerability
unique publication id
potential fund loss

6.8 Medium

AI Score

Confidence

High

JSON

Lines of code

Vulnerability details

Bug Description

In the protocol, publications are uniquely identified through the publisher’s profile ID and the publication’s ID. For example, when a user calls act(), the publication being acted on is determined by publicationActedProfileId and publicationActedId:

ActionLib.sol#L23-L26

        Types.Publication storage _actedOnPublication = StorageLib.getPublication(
            publicationActionParams.publicationActedProfileId,
            publicationActionParams.publicationActedId
        );

However, as publication IDs are not based on the publication’s data, this could cause users to act on the wrong publication in the event a blockchain re-org occurs.

For example:

  • Assume the following transactions occur in separate blocks:
    • Block 1: Alice calls post() to create a post; its publication ID is 20.
    • Block 2: Bob is interested in the post, he calls act() with publicationActedId = 20 to act on the post.
    • Block 3: Alice calls comment() separately, which creates another publication; its publication ID is 21.
  • A blockchain re-org occurs; block 1 is dropped in place of block 3:
    • Alice’s comment now has the publication ID 20 instead of 21.
  • Bob’s call to act() in block 2 is applied on top of the re-orged blockchain:
    • This causes him to act on the comment instead of the post he intended to, as it now has the publication ID 20.

In this scenario, due to the blockchain re-org, Bob calls act() on a different publication than the one he wanted. This could have severe impacts depending on the action module being called; if the action module is used to collect and pay fees to the publisher and referrals (eg. MultirecipientFeeCollectModule.sol), Bob could have lost funds.

Note that this also applies to comment(), mirror and quote(), as they can be called with reference modules with sensitive logic as well.

Impact

If a blockchain re-org occurs, users could potentially act/comment/mirror/quote on the wrong publication, which has varying impacts depending on the action or reference module being used, such as a loss of funds due to paying fees.

Given that Lens Protocol is deployed on Poylgon, which has experienced large re-orgs in the past, the likelihood of the scenario described above occuring due to a blockchain re-org is not low.

Recommended Mitigation

Consider identifying publications with a method that is dependent on its contents. For example, users could be expected to provide the keccak256 hash of a publication’s contents alongside its publication ID.

This would prevent users from acting on the wrong publication should a publication’s contents change despite having the same ID.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.8 Medium

AI Score

Confidence

High

JSON