justAWanderKid - Since Users Can Claim Each Others Attestations, Invalid User or Malicious Actor Can Claim an Attestation Does Not Belong to Them, To Damage Attestation Reputation #219
Since Users Can Claim Each Others Attestations, Invalid User or Malicious Actor Can Claim an Attestation Does Not Belong to Them, To Damage Attestation Reputation
Description
Users with an active Ethos Profile can create Attestations in EthosAttestation and specify whom they claim to represent.
However, since any active Ethos Profile can claim (i call it "stealing") an existing Attestation, a malicious user or someone with a poor reputation can take control of an Attestation that does not belong to them.
If this occurs, other users will observe that the Attestation is associated with an incorrect profile and may respond with downvotes, negative comments, and poor reviews. This feedback can severely damage the Attestation's reputation and credibility score, leading to diminished trust in the Attestation and its legitimate creator.
Impact
When an Attestation is claimed by an invalid user or a malicious actor, they can damage the Attestation's reputation by provoking other users to downvote or leave negative reviews and comments, since they are not related to that attestation.
and If the valid owners of the Attestation, later reclaim the Attestation, it's reputation is tarnished, reducing its usefulness and value.
This harm extends beyond the Attestation itself, as the valid owner’s credibility and reputation are also negatively impacted, causing other users to lose trust in them and in the reliability of the Ethos network.
Recommended mitigation
Refactor the attestation creation mechanism to ensure that once an Attestation is created and it's details is initialized(not mock), it cannot be claimed by other users.
Implement a function in EthosAttestation that allows an Admin to permanently ban users from the Ethos Network, if they have created a Attestation that does not belong to them and they try to impersonate someone else.
justAWanderKid
High
Since Users Can Claim Each Others Attestations, Invalid User or Malicious Actor Can Claim an Attestation Does Not Belong to Them, To Damage Attestation Reputation
Description
Users with an active Ethos Profile can create Attestations in
EthosAttestationand specify whom they claim to represent.However, since any active Ethos Profile can claim (i call it "stealing") an existing Attestation, a malicious user or someone with a poor reputation can take control of an Attestation that does not belong to them.
If this occurs, other users will observe that the Attestation is associated with an incorrect profile and may respond with downvotes, negative comments, and poor reviews. This feedback can severely damage the Attestation's reputation and credibility score, leading to diminished trust in the Attestation and its legitimate creator.
Impact
When an Attestation is claimed by an invalid user or a malicious actor, they can damage the Attestation's reputation by provoking other users to downvote or leave negative reviews and comments, since they are not related to that attestation.
and If the valid owners of the Attestation, later reclaim the Attestation, it's reputation is tarnished, reducing its usefulness and value.
This harm extends beyond the Attestation itself, as the valid owner’s credibility and reputation are also negatively impacted, causing other users to lose trust in them and in the reliability of the Ethos network.
Recommended mitigation
Refactor the attestation creation mechanism to ensure that once an Attestation is created and it's details is initialized(not mock), it cannot be claimed by other users.
Implement a function in
EthosAttestationthat allows anAdminto permanently ban users from the Ethos Network, if they have created a Attestation that does not belong to them and they try to impersonate someone else.