search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

LeFy - Users can still do Self Review and can influence their reputation and credibility score #215

Open sherlock-admin3 opened 2 weeks ago

sherlock-admin3 commented 2 weeks ago

LeFy

Medium

Users can still do Self Review and can influence their reputation and credibility score

Summary

In 'EthosReview.sol', its stated that Self Reviews are prohibited, but every user can do self review by reviewing their addresses or attestation right before they register it.

Root Cause

Every user can do self review by reviewing their addresses or attestation right before they register it.

function _addReview(
    uint256 mockId,
    address subject,
    bool isAttestation,
    bytes32 attestationHash,
    IEthosProfile ethosProfile
  ) internal returns (uint256 subjectProfileId) {
    // if profileId does not exist for subject, create and record a "mock"
    if (mockId == 0) {
      subjectProfileId = ethosProfile.incrementProfileCount(
        isAttestation,
        subject,
        attestationHash
      );
    } else {
      subjectProfileId = mockId;
    }

    reviewIdsBySubjectProfileId[subjectProfileId].push(reviewCount);
  }

Repo Link

  function incrementProfileCount(
    bool isAttestation,
    address subject,
    bytes32 attestation
  ) external whenNotPaused returns (uint256 profileId) {
    if (
      msg.sender != contractAddressManager.getContractAddressForName(ETHOS_REVIEW) &&
      msg.sender != contractAddressManager.getContractAddressForName(ETHOS_ATTESTATION)
    ) {
      revert InvalidSender();
    }
    profileId = profileCount;
    if (isAttestation) {
      profileIdByAttestation[attestation] = profileId;
    } else {
      profileIdByAddress[subject] = profileId;
    }
    profileCount++;

    emit MockProfileCreated(profileId);
  }

Repo Link

When the user review the address or attestation right before registering it , mock profiles will be created for it and review will be added and then the user can just simply register it and the address or attestation will have the self reviews of the user thus manipulating the credibility score of the user.

Impact

Every user can do self review and directly influence their credibility score and reputation , which contradicts the philosophy of Ethos.

Mitigation

One way to mitigate this would be , by implementing a function in EthosReview.sol say deleteSelfReviews(), and while registering an address or attestation to a profile, this function should be invoked and it will traverse through the reviewIdsByAuthorProfileId array and flag those reviews whose subject or attestaion matches those address or attestation that the user is registering.

  function deleteSelfReviews(
    uint256 profileId,
    address subject,
    AttestationDetails calldata attestationDetails,
    IEthosProfile ethosProfile
  ) internal  {

        uint256[] memory reviewIds = reviewIdsByAuthorProfileId[profileId];
        for(uint256 i =0; i < reviewIds.length; i++){
             Review storage review = reviews[i];
             if(review.subject == subject || review.attestationDetails == attestationDetails){
                  review.flagged = true;

            }
        }

  }