Deleted(Compromised) addresses can still invite users.
Summary
when deleteAddressAtIndex() is called on an address it removes it from the addresses array in that profile's struct and marks it as compromised ( isAddressCompromised[addressStr] = true;), but it inviteAddress() does not check if the inviter is compromised before granting permission to invite other users. It only checks if the invitee has been compromised with the checkIfCompromised(invitee) modifier.
Hence even after a user has deleted a wallet that has been compromised the attacker can still invite other addresses to Ethos with the profile.
Root Cause
inviteAddress() only checks if the msg.sender is verified, not a mock and not archived but doesn't check if it's been compromised.
s0x0mtee
High
Deleted(Compromised) addresses can still invite users.
Summary
when
deleteAddressAtIndex()is called on an address it removes it from theaddressesarray in that profile's struct and marks it as compromised( isAddressCompromised[addressStr] = true;), but itinviteAddress()does not check if theinviteris compromised before granting permission to invite other users. It only checks if theinviteehas been compromised with thecheckIfCompromised(invitee)modifier. Hence even after a user has deleted a wallet that has been compromised the attacker can still invite other addresses to Ethos with the profile.Root Cause
inviteAddress()only checks if themsg.senderis verified, not a mock and not archived but doesn't check if it's been compromised.https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L208-L217
Internal pre-conditions
registeredto a previously existing profileExternal pre-conditions
Attack Path
inviteAddress()with a clean/validinviteeaddress.Impact
PoC
No response
Mitigation
consider adding the
checkIfCompromised()modifier for theinviterand not just for theinviteeininviteAddress()