Archived ProfileIds can still perform multiple actions in Ethos system.
Summary
A profileId can archive himself. When archived, this means the profile is disabled and cannot take any functional actions. The only action is to restore the profile back. - This was double-checked with the sponsor.
However, in the Ethos ecosystem, there are multiple functions that still can be accessed by archived profiles.
pkqs90
Medium
Archived ProfileIds can still perform multiple actions in Ethos system.
Summary
A profileId can archive himself. When archived, this means the profile is disabled and cannot take any functional actions. The only action is to restore the profile back. - This was double-checked with the sponsor.
However, in the Ethos ecosystem, there are multiple functions that still can be accessed by archived profiles.
Root Cause
EthosReview # archiveReview(): https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L287EthosProfile # uninviteUser(): https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L258EthosAttestation # archiveAttestation(): https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L334EthosAttestation # createAttestation() -> _claimAttestation(): https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L269Internal pre-conditions
N/A
External pre-conditions
N/A
Attack Path
N/A
Impact
After the ProfileId is archived, he can still access the above 4 functionalities.
PoC
N/A
Mitigation
Always use
EthosProfile.verifiedProfileIdForAddress()to verify if the profileId is still active.