Anyone can permanently disable the token guardian for their wallet by calling this one DANGER__disableTokenGuardian function

Lines of code Vulnerability details Impact A hacker could call DANGERdisableTokenGuardian, instantly disable the guardian and steal tokens or make malicious approvals Proof of Concept The DANGERdisableTokenGuardian function is risky and should be reconsidered. The main issue is that it allows...

The processBlock() function does the wrapping process wrongly

Lines of code Vulnerability details Impact The blocking process in the FollowNFT contract needs to wrap it first, but it does the wrapping process wrongly. wrapping process in wrap function update some statement and then mint token but if you look at processBlock function, it's just mint token an...

The profileId is incremented using ++_profileCounter inside the createProfile function without any overflow checks in createProfile function

Lines of code Vulnerability details Impact If this issue exists, profileCounter reaches the maximum value, it will wrap around and reset to its minimum value, which is 0 for unsigned integers in Solidity. This unintended behavior can have several negative impacts on the functioning of the contrac...

Possible integer underflow

Lines of code Vulnerability details Impact The previous FollowNFT implementation is different between v1.3 and v2.0. The followerCount is 0 for existing FollowNFTeven if lastFollowTokenId is not 0 after upgrade. // Old uint256 lastFollowTokenId slot splitted into two uint128s to include...

profileIdAllowedToRecover is not handled properly in tryMigrate()

Lines of code Vulnerability details Impact In FollowNFT.sol, when calling tryMigrate, the state at the end should be the same when you call baseFollow and fresh follow the owner of the collection. However, profileIdAllowedToRecover is not handled inside of tryMigrate and it should be deleted as...

Cannot unfollow a profile without having access to the Follow NFT

Lines of code Vulnerability details Impact In scenarios where a user fails to unfollow a profile before selling his follow NFT, he could forever be unable to unfollow the profile. Proof of Concept A user could sell his follow NFT without unfollowing a profile. If the new owner of the follow NFT...

Identifying publications using its ID makes the protocol vulnerable to blockchain re-orgs

Lines of code Vulnerability details Bug Description In the protocol, publications are uniquely identified through the publisher's profile ID and the publication's ID. For example, when a user calls act, the publication being acted on is determined by publicationActedProfileId and...

tryMigrate() doesn't ensure that followerProfileId isn't already following

Lines of code Vulnerability details Bug Description In FollowNFT.sol, the tryMigrate function is used to migrate users who were following before the V2 upgrade. It does so by updating followTokenIdByFollowerProfileId and followDataByFollowTokenId, which are state variables introduced in the V2...

Users cannot unfollow if they do not own the FollowNFT of the followTokenId used for their profile

Lines of code Vulnerability details Bug Description If the followTokenId of a profile is wrapped, users will only be able to unfollow if they are either: 1. The owner of the follow NFT. 2. An approved operator of the follow NFT's owner. This can be seen in the unfollow function of FollowNFT.sol:...

Users can unfollow through FollowNFT contract when LensHub is paused by governance

Lines of code Vulnerability details Bug Description When the LensHub contract has been paused by governance state set to ProtocolState.Paused, users should not be able unfollow profiles. This can be inferred as the unfollow function has the whenNotPaused modifier: LensHub.solL368-L371 function...

Due to revert found during testing it would be wise to implement a rollback and re-whitelist should it be needed

Lines of code Vulnerability details Impact During testing with the Mainnet fork for the migration testing. We needed to make a distinction between V1 Profiles and V2 profiles within the test code, but this is not so in the standard V2 code, and may cause unforeseen issues after the upgrade. The V...

Default Account fallback lack payable

Lines of code Vulnerability details Impact fallback lack payable,will lead to differences from the mainnet, and many existing protocols may not work Proof of Concept DefaultAccount Defined as follows: DefaultAccount The implementation of the default account abstraction. This is the code that is...

Whitelisted profile creators could accidentally break migration for V1 profiles

Lines of code Vulnerability details Bug Description Profiles that exist before the V2 upgrade are migrated using the batchMigrateProfiles function, which works by minting the profile's handle and linking it to their profile: MigrationLib.solL69-L85 string memory handle =...

the unfollow contract does random unfollow process of random follow token.

Lines of code Vulnerability details Impact in the FollowNft.sol we have to unfollow function this function is supposed to do unfollow process but as you see the followTokenId variable just returns one random follow id with profile id through mapping and there is no option to select which follow n...

More collateral is seized than approved

Lines of code Vulnerability details Impact More collateral is seized outside of the comptroller's approved liquidation amount which means excess seizeTokens are transferred from the borrower to the liquidator leading to loss of funds Proof of Concept liquidateBorrowFresh first checks the allowanc...

The FollowNFT.initialize() function will never be executed

Lines of code Vulnerability details Impact This function Initializes the follow NFT. To check if a function has already been initialized use: if initialized revert Errors.Initialized; This condition will always end with revert Errors.Initialized, because in the constructor, when expanding the...

exitMarket was missing reentrancy protection.

Lines of code Vulnerability details Impact exitMarket function in Comptroller.sol function was missing checks to prevent reentrancy exploitation. This allowed an attacker to call exitMarket multiple times before the newly borrowed amount was recorded. Since the borrowed amount was not actually...

THERE IS NO FUNCTIONALITY TO LIQUIDATE THE DEPRECATED MTOKEN MARKETS

Lines of code Vulnerability details Impact The Mtoken markets configured for the respective collateral asset types can get deprecated due to various reasons associated with those assets. There should be functionality in the Comptroller.liquidateBorrowAllowed function to liquidate all the borrows ...

First Depositor Attack is possible by front-running mip00 script execution

Lines of code Vulnerability details Overview The First Depositor Attack Within the context of Compound v2, a First Depositor Attack occurs when an attacker becomes the inaugural minter of a cToken. This enables them to establish the first exchange rate between the underlying asset and the cToken...

Attackers might be able to avoid calling reference modules when creating publications

Lines of code Vulnerability details Bug Description When comment, mirror or quote is called on a publication with a reference module, the reference module will be called. For example, when a user mirrors another publication with a reference module, the processMirror function of that reference...

if _rescueFunds was called with the address of a mToken, the admin would currently be able to sweep those tokens,

Lines of code Vulnerability details Impact It allows the admin to steal deposited funds from users It removes mTokens used as collateral to back borrows Proof of Concept Assume there is a mToken at address 0x123 that has issued some tokens. The admin calls rescueFunds0x123, uint.max. This will...

Signature malleability not protected against

Lines of code Vulnerability details Impact A signature should never be included into a signed message hash to check if previously messages have been processed by the contract. See reference: Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any othe...

the getChainlinkPrice() function calling the latestRoundData without using the try/catch to avoid bad possible scenario

Lines of code Vulnerability details Impact Call to latestRoundData could potentially revert and make it impossible to query any prices. the getChainlinkPrice function should use try/catch to avoid the case of the getChainlinkPrice function revert and cause dos/block the system. Proof of Concept t...

Migration of Profiles can fail due to difference in handle validity in V1 and V2

Lines of code Vulnerability details Impact Profiles with certain type of handles in V1 cannot be migrated to V2. Proof of Concept In V1 and V2, the validity of handles is determined differently. Due to this it is possible that some profiles have handles that are valid according to V1 validation b...

Nonces are not used in the signature checks

Lines of code Vulnerability details Impact A nonce can prevent an old value from being used when a new value exists. Without one, two transactions submitted in one order, can appear in a block in a different order Transactions on one identity can be replayed on another one. Proof of Concept...

Divide before multiply

Lines of code Vulnerability details Impact Solidity's integer division truncates. Thus, performing division before multiplication can lead to precision loss. Proof of Concept Tools Used Recommended Mitigation Steps Consider ordering multiplication before division. Assessed type Math --- The text...

Migration of Profiles can fail due to existance of same handle

Lines of code Vulnerability details Impact Some profiles cannot be migrated to V2 if their handle tokenId has already been minted. Proof of Concept A handle can be minted in the LensHandles contract before a profile that would have the same handle is migrated from V1. When the profile attempts to...

missing check for the max/min price in the chainlinkOracle.sol contract

Lines of code Vulnerability details Impact the chainlinkOracle.sol contract specially the getChainlinkPrice function using the aggregator v2 and v3 to get/call the latestRoundData. the function should check for the min and max amount return to prevent some case happen, something like this: if cas...

updatedAt TIMESTAMP IS NOT USED TO DETECT STALE ORACLE PRICES

Lines of code Vulnerability details Impact The external Chainlink oracle, which provides index price information to the system, introduces risk inherent to any dependency on third-party data sources. For example, the oracle could fall behind or otherwise fail to be maintained, resulting in outdat...

function _queueProposal not checking if the required time is passed to allow proposal to set to the queue list

Lines of code Vulnerability details Impact in the queueProposal function there is no check for if the requested time is passed to allow queue the proposal. in this case any proposal after creating can be added to the queue list. Proof of Concept the TemporalGovernor.sol contract have a variable...

safe32 WILL RESTRICT THE DURATION OF MultiRewardDistributor._addEmissionConfig FUNCTION USABILITY

Lines of code Vulnerability details Impact The MultiRewardDistributor.addEmissionConfig function is used to add a new emission configuration for a specific market. The addEmissionConfig function constructs the MarketConfig configuration struct using the input parameters to the function. The...

Profile owner can set royalties on a follow NFT they don't own.

Lines of code Vulnerability details Impact Profile owner can drain royalties from follow NFTs they don't own Proof of Concept The beforeRoyaltiesSet modifier checking only the profile owner instead of the follow NFT owner presents a major vulnerabilities It allows the profile owner to set royalti...

The _rescueFunds function allows sweeping any tokens, when it should only allow sweeping of the underlying asset

Lines of code Vulnerability details Impact abuse of sweeping arbitrary tokens. Proof of Concept The rescueFunds function allows sweeping any tokens, when it should only allow sweeping of the underlying asset Tools Used Manual Recommended Mitigation Steps Remove the tokenAddress parameter - no nee...

Liquidator can seize more tokens than the borrower has as collateral, leading to an arithmetic underflow and locking collateral.

Lines of code Vulnerability details Impact Lack of validation on seizeTokens could allow collateral locking by underflow. Proof of Concept The liquidateBorrowFresh function does not explicitly validate that seizeTokens is less than or equal to accountTokensborrower before transferring tokens from...

Reentrancy Vulnerability in MErc20Delegate.sol

Lines of code Vulnerability details Impact The fallback function delegates calls to the implementation contract using delegatecall. This allows the implementation contract to call back into MErc20Delegate before the original delegatecall completes. An attacker could exploit this vulnerability to...

Missing owner check on from when transferring tokens

Lines of code Vulnerability details Impact The LensBaseERC721.transferFrom/safeTransferFrom/burn they check approvals on msg.sender through isApprovedOrOwnermsg.sender, tokenId, it is never checked that the specified from parameter is actually the owner of the NFT. An attacker can decrease other...

Privacy Violation: Unauthorized Access to Blocking Status of Profiles

Lines of code Vulnerability details Impact The smart contract contains a critical privacy violation that allows unauthorized users to access the blocking status of profiles. The isBlocked function, which is intended to check if one profile is blocked by another, lacks proper access controls and...

wrap after unfollow is enabled

Lines of code Vulnerability details Impact wrap after unfollownft is enabled , cause many problems Proof of Concept by design, wrap after unfollowed is not allowed,but it seems that it's possible due to lack of limitation. poc below: add below script in FollowNFTTest.t.sol //forge test --match-te...

Inability of Followers and Followees to Commenting

Lines of code Vulnerability details Impact The lack of functionality restricts interaction and engagement between the profile owner and their followers or the users they follow. This limitation diminishes the platform's value, as users who are interested in a post or have a genuine reason to...

Front-Running Vulnerability in LensHub.sol's commentWithSig and quoteWithSig Functions

Lines of code Vulnerability details Impact A vulnerability has been discovered in LensHub.sol's commentWithSig and quoteWithSig functions. This vulnerability potentially enables an attacker to disrupt users' actions by front-running transactions, resulting in undesirable modifications of comments...

Function initialize Not Work

Lines of code Vulnerability details Impact As mentioned in the comment of the function initialize, "This is called right after deployment by the LensHub, so we can skip the onlyHub check". However, when the contract FollowNFT is deployed, the state variable initialized is set to true in the...

Incorrect Signature Validation in LensHub Contract

Lines of code Vulnerability details Description The LensHub contract contains two functions, "setFollowModuleWithSig" and "setProfileImageURIWithSig," that allow users to set a follow module and profile image URI, respectively, for a profile using EIP712 signatures for verification. However, the...

Unauthorized Profile "Follow" Operation Bug

Lines of code Vulnerability details Description The contract's followWithSig function allows any user with a valid signature to execute "follow" operations on behalf of any profile without properly verifying the ownership of the profile or checking if the signer is an approved executor. This bug...

Unchecked Call Return Value of ERC20 Functions

Lines of code Vulnerability details Impact The return value of 'transfer' and 'transferFrom' should be verified since these two functions may only return false but not cause execution reverted once fail. If not properly handled, it might incur asset losses to users and the project party. Tools Us...

tryMigrate() has onlyHub modifier but it's called from LensV2Migration

Lines of code Vulnerability details Impact In FollowNFT.sol, tryMigrate function has onlyHub modifier as other functions that are supposed to be called by LensHub such as follow and unfollow. These functions are called via delegatecall and LensHub is preserved as msg.sender. The problem is that t...

Lack of Preventing Multiple Follows to the Same Profile ID

Lines of code Vulnerability details Impact The absence of a check for multiple follows to the same profile ID poses a significant security and integrity risk for the smart contract. By exploiting this vulnerability, a malicious user could inflate the number of followers for a particular profile I...

Unauthenticated Access of withdrawToTreasury Makes _distributeFees Not Work

Lines of code Vulnerability details Impact Since the function withdrawToTreasury lacks authority control, anyone can call withdrawToTreasury to transfer erc20 token or native coin held by the contract to the treasury. This will indirectly cause the transaction which calls function...

IF FEE ON TRANSFER TOKEN CONFIGURED AS THE VOTING TOKEN FOR THE VAULT, IT COULD INTRODUCE ACCOUNTING ERROR FOR VOTE COUNT

Lines of code Vulnerability details Impact The NFTBoostVault.lockTokens function is used to transfer the ERC20 voting token of the vault and the ERC1155 NFT to the NFTBoostVault contract after accounting for their respective votes. The issue here is that a fee-on-transfer token could get selected...

Malicious actors could pass in huge arrays to disrupt service availability (DOS) in the updateVotingPower function

Lines of code Vulnerability details Impact The contract is stopped from being usable by legitimate users if the attacker repeatedly spammed large arrays Proof of Concept The updateVotingPower function currently only checks that the array is = 50: While 50 may be a reasonable limit for normal usag...

Manager can delete any users voting power

Lines of code Vulnerability details Impact A manager can maliciously/accidentally remove all voting power for all users due to missing input validation when setting the multiplier value. By setting a value smaller than 1e3 it will result in all multiplier calculations rounding to 0, causing loss ...