s0x0mtee - Deleted addresses can reregister themselves and can also register other addresses

[sherlock-admin3]

s0x0mtee

High

Deleted addresses can reregister themselves and can also register other addresses

Summary

registerAddress() does not implement a check against compromised addresses appropriately, therefore they can call and successfully execute the function on their address. The only relatively close check for a compromised address in registerAddress() is https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L386-L390 This is because users are intended to still be able to reregister deleted addresses but the logic doesn't have enough constraint to stop deleted/compromised wallets from reregistering themselves to the profile. The check above fails to stop this because profileIdByAddress[addressStr] != profileId is false since deleted addresses are only removed from the associated profile's addresses array but not deleted from profileIdByAddress struct.

Root Cause

• The choice to allow users reregister deleted addresses opened up a gateway for compromised addresses to reregister themselves hence a profile owner can't ever stop an attacker who has compromised a previously registered address, since s/he can always just reregister himself back.

Internal pre-conditions

1. The address has to have been previously registered

External pre-conditions

1. The address needs to be compromised by an attacker

Attack Path

1. Compromised wallet calls registerAddress() with the appropriate arguments.

Impact

• Permanent compromise of a profile.

PoC

No response

Mitigation

• Add additional checks such as:

  if ( msg.sender == addressStr) {
   revert();
  }