The profileId is incremented using ++_profileCounter inside the createProfile function without any overflow checks in createProfile function

Lines of code Vulnerability details Impact If this issue exists, profileCounter reaches the maximum value, it will wrap around and reset to its minimum value, which is 0 for unsigned integers in Solidity. This unintended behavior can have several negative impacts on the functioning of the contrac...

setDirectPrice is vulnerable to sandwich attack

Lines of code Vulnerability details Impact In ChainlinkOracle.sol we have setDirectPrice: function setDirectPriceaddress asset, uint256 price external onlyAdmin emit PricePostedasset, pricesasset, price, price; pricesasset = price; This function setDirectPrice allows the admin...

Anyone can permanently disable the token guardian for their wallet by calling this one DANGER__disableTokenGuardian function

Lines of code Vulnerability details Impact A hacker could call DANGERdisableTokenGuardian, instantly disable the guardian and steal tokens or make malicious approvals Proof of Concept The DANGERdisableTokenGuardian function is risky and should be reconsidered. The main issue is that it allows...

Overflow/underflow when creating the exchange rate Exp.

Lines of code Vulnerability details Impact Incorrect exchange rate values Proof of Concept the exchangeRateStoredInternal function is missing validation on the Exp mantissa size before creating the exchange rate Exp. This could lead to overflow. This would make the mantissa of exchangeRate equal ...

approve() can be front-run

Lines of code Vulnerability details Impact In MToken.sol we have approve function: function approveaddress spender, uint256 amount override external returns bool address src = msg.sender; transferAllowancessrcspender = amount; emit Approvalsrc, spender, amount; ...

The onlyProfileOwnerOrDelegatedExecutor and whenNotPaused checks can be bypassed

Lines of code Vulnerability details Impact The LensHub.sol functions setProfileMetadataURI, setProfileMetadataURIWithSig, setFollowModule, setFollowModuleWithSig, collect, collectWithSig, act, actWithSig, setProfileImageURI, setProfileImageURIWithSig and others use...

EIP-712 typehash is incorrect for several functions in MetaTxLib

Lines of code Vulnerability details Bug Description In LensHub.sol, the second parameter of setProfileMetadataURIWithSig is declared as metadataURI: LensHub.solL119-L123 function setProfileMetadataURIWithSig uint256 profileId, string calldata metadataURI, Types.EIP712Signature calldata signature...

No Receive functiion in TemporalGovernor contract

Lines of code Vulnerability details Impact The function executeProposal in TemporalGovernor contract will fail, if there is a value to send with the call to the targets executeProposal function could send native token out along with a call to the targets encoded in vm.payload, but the current...

the TemporalGovernor.sol can be unpaused when it should still in the pause mood

Lines of code Vulnerability details Impact the TemporalGovernor implemented in a way that if the guardians pause the system then the system will be paused to period of time and the system will remove the guradians approve till the system reApprove them again and going to the unpause mood, the...

In LensBaseERC721.sol#_transfer() Lack of check from==to

Lines of code Vulnerability details Impact In LensBaseERC721.soltransfer balances of from and to are stored in temporary variables and after the subtration, addition operation the results are written to storage. In the second operation since the original balance is used in the addition operation,...

the unfollow contract does random unfollow process of random follow token.

Lines of code Vulnerability details Impact in the FollowNft.sol we have to unfollow function this function is supposed to do unfollow process but as you see the followTokenId variable just returns one random follow id with profile id through mapping and there is no option to select which follow n...

excuteProposal can fail due to Wormhole guardian change

Lines of code Vulnerability details Impact Wormhole governance can change signing guardian sets. If this happens between a proposal is queued and a proposal is executed. The second verification in executeProposal will fail as the guardian set has changed between queuing and executing. This would...

lack of payable

Lines of code Vulnerability details Impact If it is not marked payable, the contract will throw an exception if it receives plain ether without data. Proof of Concept Tools Used Recommended Mitigation Steps fallback function should be payable Assessed type Payable --- The text was updated...

THERE IS NO FUNCTIONALITY TO LIQUIDATE THE DEPRECATED MTOKEN MARKETS

Lines of code Vulnerability details Impact The Mtoken markets configured for the respective collateral asset types can get deprecated due to various reasons associated with those assets. There should be functionality in the Comptroller.liquidateBorrowAllowed function to liquidate all the borrows ...

First mint user can inflate share which can steal asset from other user

Lines of code Vulnerability details Impact A well know inflation attack/first deposit mint bug. The attacker can steal assets from other user's deposit mint. Proof of Concept The Moonwell project is a fork from the Compound Protocol. The MToken the MToken on Compound represents a yield-bearing...

Profile owner can set royalties on a follow NFT they don't own.

Lines of code Vulnerability details Impact Profile owner can drain royalties from follow NFTs they don't own Proof of Concept The beforeRoyaltiesSet modifier checking only the profile owner instead of the follow NFT owner presents a major vulnerabilities It allows the profile owner to set royalti...

missing check for the max/min price in the chainlinkOracle.sol contract

Lines of code Vulnerability details Impact the chainlinkOracle.sol contract specially the getChainlinkPrice function using the aggregator v2 and v3 to get/call the latestRoundData. the function should check for the min and max amount return to prevent some case happen, something like this: if cas...

Any extra reward tokens that accumulate in the contract remain locked there permanently.

Lines of code Vulnerability details Impact Funds get locked in contract resulting to Loss of asset control, funds and increased costs to recover fund Proof of Concept Reviewing the list of external and public functions, there is no withdraw or reclaim function: 2. Scanning the contract code, ther...

Users positions can be directly liquidated when the admin changes the collateralFactorMantissa from a higher value to a lower value

Lines of code Vulnerability details Impact In Comptroller contract : Market.collateralFactorMantissa mltiplier represents the maximum underlying asset amount the depositors can borrow against their collateral in a market,for example:if it is set to 0.9;then 90% of collateral value is allowed to b...

Unauthorized Admin Transfer Vulnerability

Lines of code Vulnerability details Description The bug in this contract is that it doesn't handle the case when the pendingAdmin is set to the zero address address0. As per the condition msg.sender == address0, the if statement can be bypassed if an attacker sets pendingAdmin to the zero address...

Cannot unwrap token after recovering through wrapping

Lines of code Vulnerability details Impact Cannot unwrap token after recovering through wrapping. Proof of Concept FollowNFTunwrap checks if followerProfileId for the token is not 0: if followDataByFollowTokenIdfollowTokenId.followerProfileId == 0 revert NotFollowing; while after recovering token...

Potential Exploitation due to Lack of Price Range Checks in Oracle Implementation

Lines of code Vulnerability details Impact Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value i.e. LUNA crash the price of the oracle will continue to return the...

[ H ] Infinite loop in calculateNewIndex prevents tokens from being minted and rewards from being distributed

Lines of code Vulnerability details Impact Recursive calls from calculateNewIndex in MultiRewardDistributor will result in an infinite loop and out of gas errors, preventing tokens from being minted and rewards being sent to some users as disburseSupplierRewardsInternal will not be called. Proof ...

Default Account fallback lack payable

Lines of code Vulnerability details Impact fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work Proof of Concept DefaultAccount Defined as follows: DefaultAccount The implementation of the default account abstraction. This is the code that is...

profileIdAllowedToRecover is not handled properly in tryMigrate()

Lines of code Vulnerability details Impact In FollowNFT.sol, when calling tryMigrate, the state at the end should be the same when you call baseFollow and fresh follow the owner of the collection. However, profileIdAllowedToRecover is not handled inside of tryMigrate and it should be deleted as...

Attackers might be able to avoid calling reference modules when creating publications

Lines of code Vulnerability details Bug Description When comment, mirror or quote is called on a publication with a reference module, the reference module will be called. For example, when a user mirrors another publication with a reference module, the processMirror function of that reference...

BORROWERS CAN AVOID LIQUIDATIONS, IF ERC777 TOKEN IS CONFIGURED AS AN emissionToken

Lines of code Vulnerability details Impact If a borrower is undercollateralized then he can be liquidated by a liquidator by calling the MErc20.liquidateBorrow function. liquidateBorrow function calls the MToken.liquidateBorrowFresh in its execution process. Inside the liquidateBorrowFresh functi...

Attacker can Steal all eths of WETHRouter.sol through redeem function

Lines of code Vulnerability details Impact An attacker can Steal eths through redeem function in WETHRouter.sol as you know the contract does the redeem process and redeem user mTokens to ETHs, and as you know we have the function of mint which is the opposite of this and users deposit ETH in ord...

Due to revert found during testing it would be wise to implement a rollback and re-whitelist should it be needed

Lines of code Vulnerability details Impact During testing with the Mainnet fork for the migration testing. We needed to make a distinction between V1 Profiles and V2 profiles within the test code, but this is not so in the standard V2 code, and may cause unforeseen issues after the upgrade. The V...

Users can unfollow through FollowNFT contract when LensHub is paused by governance

Lines of code Vulnerability details Bug Description When the LensHub contract has been paused by governance state set to ProtocolState.Paused, users should not be able unfollow profiles. This can be inferred as the unfollow function has the whenNotPaused modifier: LensHub.solL368-L371 function...

Migration of Profiles can fail due to existance of same handle

Lines of code Vulnerability details Impact Some profiles cannot be migrated to V2 if their handle tokenId has already been minted. Proof of Concept A handle can be minted in the LensHandles contract before a profile that would have the same handle is migrated from V1. When the profile attempts to...

High - TemporalGovernor.sol - Malicious Governance Propsoals can interact with Metamorphic Contracts resulting in Business Critical Risk to the Protocol

Lines of code Vulnerability details High - TemporalGovernor.sol - Malicious Governance Propsoals can interact with Metamorphic Contracts resulting in Business Critical Risk to the Protocol Impact Due to the permisionless governance execution method, with no ascribed or implemented security...

the unbounded approve function allows a front-running vulnerability due to setting unlimited allowance.

Lines of code Vulnerability details Impact if approve is called with a very high allowance, the spender can drain the owner's entire balance. Proof of Concept approve allows setting an allowance to any arbitrary uint256 value, including typeuint.max. This effectively gives unlimited approval to t...

Whitelisted profile creators could accidentally break migration for V1 profiles

Lines of code Vulnerability details Bug Description Profiles that exist before the V2 upgrade are migrated using the batchMigrateProfiles function, which works by minting the profile's handle and linking it to their profile: MigrationLib.solL69-L85 string memory handle =...

User can bypass their approved redeem allowance

Lines of code Vulnerability details Impact The caller can bypass the allowance check by exploiting the exchange rate calculation and drain funds from the contract up to the full balance owned by msg.sender, not just the amount approved in the allowance. Proof of Concept The issue is that...

Missing owner check on from when transferring tokens

Lines of code Vulnerability details Impact The LensBaseERC721.transferFrom/safeTransferFrom/burn they check approvals on msg.sender through isApprovedOrOwnermsg.sender, tokenId, it is never checked that the specified from parameter is actually the owner of the NFT. An attacker can decrease other...

Inability of Followers and Followees to Commenting

Lines of code Vulnerability details Impact The lack of functionality restricts interaction and engagement between the profile owner and their followers or the users they follow. This limitation diminishes the platform's value, as users who are interested in a post or have a genuine reason to...

Privacy Violation: Unauthorized Access to Blocking Status of Profiles

Lines of code Vulnerability details Impact The smart contract contains a critical privacy violation that allows unauthorized users to access the blocking status of profiles. The isBlocked function, which is intended to check if one profile is blocked by another, lacks proper access controls and...

Front-Running Vulnerability in LensHub.sol's commentWithSig and quoteWithSig Functions

Lines of code Vulnerability details Impact A vulnerability has been discovered in LensHub.sol's commentWithSig and quoteWithSig functions. This vulnerability potentially enables an attacker to disrupt users' actions by front-running transactions, resulting in undesirable modifications of comments...

wrap after unfollow is enabled

Lines of code Vulnerability details Impact wrap after unfollownft is enabled , cause many problems Proof of Concept by design, wrap after unfollowed is not allowed,but it seems that it's possible due to lack of limitation. poc below: add below script in FollowNFTTest.t.sol //forge test --match-te...

Unauthenticated Access of withdrawToTreasury Makes _distributeFees Not Work

Lines of code Vulnerability details Impact Since the function withdrawToTreasury lacks authority control, anyone can call withdrawToTreasury to transfer erc20 token or native coin held by the contract to the treasury. This will indirectly cause the transaction which calls function...

Incorrect Signature Validation in LensHub Contract

Lines of code Vulnerability details Description The LensHub contract contains two functions, "setFollowModuleWithSig" and "setProfileImageURIWithSig," that allow users to set a follow module and profile image URI, respectively, for a profile using EIP712 signatures for verification. However, the...

Lack of Preventing Multiple Follows to the Same Profile ID

Lines of code Vulnerability details Impact The absence of a check for multiple follows to the same profile ID poses a significant security and integrity risk for the smart contract. By exploiting this vulnerability, a malicious user could inflate the number of followers for a particular profile I...

Function initialize Not Work

Lines of code Vulnerability details Impact As mentioned in the comment of the function initialize, "This is called right after deployment by the LensHub, so we can skip the onlyHub check". However, when the contract FollowNFT is deployed, the state variable initialized is set to true in the...

tryMigrate() has onlyHub modifier but it's called from LensV2Migration

Lines of code Vulnerability details Impact In FollowNFT.sol, tryMigrate function has onlyHub modifier as other functions that are supposed to be called by LensHub such as follow and unfollow. These functions are called via delegatecall and LensHub is preserved as msg.sender. The problem is that t...

Unchecked Call Return Value of ERC20 Functions

Lines of code Vulnerability details Impact The return value of 'transfer' and 'transferFrom' should be verified since these two functions may only return false but not cause execution reverted once fail. If not properly handled, it might incur asset losses to users and the project party. Tools Us...

Unauthorized Profile "Follow" Operation Bug

Lines of code Vulnerability details Description The contract's followWithSig function allows any user with a valid signature to execute "follow" operations on behalf of any profile without properly verifying the ownership of the profile or checking if the signer is an approved executor. This bug...

Incorrect implementation of binary search in _find() in History.sol can make BaseVotingVault.sol break and cannot return correct staleIndex

Lines of code Vulnerability details Impact The binary search implemented in find in History.sol is incorrect and in some cases cannot return a correct stale index, and as a result some functions in baseVotingVault.sol can not work properly like queryVotePower. Although History.sol is not in scope...

loss of user funds in ARCDVestingVault.sol

Lines of code Vulnerability details Impact In the contract ARCDVestingVault.sol the function delegate is used to delegate user votes to desired address but it fails to maintain the sanity check if the provided address is a zeroaddress or not function delegateaddress to external...

A user could call mint() with less ETH than the mintPrice and improperly mint badges for a cheaper cost.

Lines of code Vulnerability details Impact users underpaying to mint badges will lead to loss of funds Proof of Concept It checks if msg.value is less than the required mintPrice, but it does not check for the case where msg.value mintPrice. This means: A user could send only 1 wei when the...