search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

LeFy - deleteAddressAtIndex() adds the wrong address to the removedAddresses[] list #188

Open sherlock-admin3 opened 2 weeks ago

sherlock-admin3 commented 2 weeks ago

LeFy

High

deleteAddressAtIndex() adds the wrong address to the removedAddresses[] list

Summary

In 'EthosProfile.sol', when user calls the deleteAddressAtIndex(), wrong address is being pushed to the profiles[profileId].removedAddresses array.

Root Cause

When a user wants to delete an address from the profile, the deleteAddressAtIndex() is called.

function deleteAddressAtIndex(uint256 addressIndex) external whenNotPaused {
    uint256 profileId = profileIdByAddress[msg.sender];
    (bool verified, bool archived, bool mock) = profileStatusById(profileId);
    if (!verified) {
      revert ProfileNotFoundForAddress(msg.sender);
    }
    if (archived || mock) {
      revert ProfileAccess(profileId, "Profile is archived");
    }

    address[] storage addresses = profiles[profileId].addresses;
    address[] storage removedAddresses = profiles[profileId].removedAddresses;
    if (addresses.length <= addressIndex) {
      revert InvalidIndex();
    }

    address addressStr = addresses[addressIndex];
    isAddressCompromised[addressStr] = true;
    _addressShouldDifferFromSender(addressStr);

    _deleteAddressAtIndexFromArray(addressIndex, addresses, removedAddresses);

    emit AddressClaim(profileId, addressStr, AddressClaimStatus.Unclaimed);
  }

Repo Link

  function _deleteAddressAtIndexFromArray(
    uint256 index,
    address[] storage addresses,
    address[] storage removedAddresses
  ) private {
    address addr = addresses[addresses.length - 1];
    addresses[index] = addr;
    removedAddresses.push(addr);
    addresses.pop();
  }

Repo Link

But in the _deleteAddressAtIndexFromArray() instead of adding the removed address addresses[index] to the removedAddresses array, the last address of the profile addresses addresses[addresses.length - 1] is aded to the removedAddresses array, which results in the wrong address getting added to the removed addresses

Impact

The wrong address is getting added to the removedAddresses list and cause errors.

Mitigation

Add the removed address to the removedAddresses array, the corrected implementation would be:

 function _deleteAddressAtIndexFromArray(
    uint256 index,
    address[] storage addresses,
    address[] storage removedAddresses
  ) private {
    address addr = addresses[addresses.length - 1];
    address removedAddress = addresses[index];
    addresses[index] = addr;
    removedAddresses.push(removedAddress);
    addresses.pop();
  }