search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

0xmujahid002 - Lack of Target Contract Verification in `EthosDiscussion.sol` allows unauthorized replies to non-Ethos contracts #213

Open sherlock-admin4 opened 2 weeks ago

sherlock-admin4 commented 2 weeks ago

0xmujahid002

High

Lack of Target Contract Verification in EthosDiscussion.sol allows unauthorized replies to non-Ethos contracts

Summary

The missing verification check for targetContract in addReply function of EthosDiscussion.sol will cause data pollution within the Ethos ecosystem, as unauthorized contracts can receive replies. An attacker can misuse this by creating replies linked to any arbitrary or malicious contract, misleading users and degrading data integrity across Ethos Network platforms.

Root Cause

In EthosDiscussion.sol: 105, there is no validation check on the targetContract input parameter in the addReply function, allowing replies to be added to non-Ethos contracts.

Internal pre-conditions

  1. msg.sender must call addReply() on EthosDiscussion.sol.
  2. msg.sender must set targetContract to an arbitrary contract address.

External pre-conditions

The arbitrary contract does not belong to the Ethos Network (i.e., it is not a valid Ethos contract).

Attack Path

  1. The attacker calls addReply() on EthosDiscussion.sol, setting targetContract parameter to an arbitrary address that is not managed by Ethos Network.
  2. The addReply() function creates a reply linked to the non-Ethos contract without verifying its validity.
  3. This action results in replies referencing unauthorized or malicious contracts, polluting Ethos data and misguiding users.

Impact

Ethos users suffer from data pollution and degraded trust, as replies can be misattributed to non-Ethos contracts, leading to potential misinformation or confusion about user interactions. The attacker does not gain directly but may benefit from the spread of misinformation or from exploiting Ethos data integrity.

PoC

The following code demonstrates the vulnerability due to the lack of contract verification in addReply():

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;

import "./EthosDiscussion.sol";

contract MaliciousContract {
    EthosDiscussion public ethosDiscussion;

    constructor(address _ethosDiscussion) {
        ethosDiscussion = EthosDiscussion(_ethosDiscussion);
    }

    function exploitAddReply() external {
        ethosDiscussion.addReply(
            address(this), // Arbitrary targetContract
            1,             // TargetId for testing
            "Malicious Reply", 
            "Misleading Metadata"
        );
    }
}

Mitigation

To mitigate this vulnerability, add a check(added in EthosVote.sol: 88) to verify that the targetContract is an authorized Ethos contract:

  modifier isValidTarget(address target) {
    if (!contractAddressManager.checkIsEthosContract(target)) {
      revert InvalidTargetContract(target);
    }
    _;
  }

This modification ensures that only authorized Ethos contracts can receive replies, maintaining data integrity across the Ethos ecosystem.