Open sherlock-admin4 opened 2 weeks ago
LeFy
Medium
Unlike registering an attestation , there is no evidence check while registering an address to a profile.
function registerAddress( address addressStr, uint256 profileId, uint256 randValue, bytes calldata signature ) external whenNotPaused onlyNonZeroAddress(addressStr) { (bool verified, bool archived, bool mock) = profileStatusById(profileId); if (!verified) { revert ProfileNotFound(profileId); } if (archived || mock) { revert ProfileAccess(profileId, "Profile is archived"); } // you may restore your own previously deleted address, // but you cannot register an address that has been deleted by another user if (profileIdByAddress[addressStr] != profileId && isAddressCompromised[addressStr]) { revert AddressCompromised(addressStr); } (bool addressAlreadyRegistered, , , uint256 registeredProfileId) = profileStatusByAddress( addressStr ); if (addressAlreadyRegistered && registeredProfileId != profileId) { revert ProfileExistsForAddress(addressStr); } validateAndSaveSignature( _keccakForRegisterAddress(addressStr, profileId, randValue), signature ); profiles[profileId].addresses.push(addressStr); profileIdByAddress[addressStr] = profileId; checkMaxAddresses(profileId); emit AddressClaim(profileId, addressStr, AddressClaimStatus.Claimed); }
Repo Link
There is no proper validation to check if the address belongs to the user
Anyone can claim any addresses
Like evidence check in attestations, check for evidence when registering addresses also:
function registerAddress( address addressStr, uint256 profileId, uint256 randValue, string calldata evidence, bytes calldata signature ) external whenNotPaused onlyNonZeroAddress(addressStr) {
LeFy
Medium
No evidence check while registering an address lets anyone claim any addresses
Summary
Unlike registering an attestation , there is no evidence check while registering an address to a profile.
Root Cause
Repo Link
There is no proper validation to check if the address belongs to the user
Impact
Anyone can claim any addresses
Mitigation
Like evidence check in attestations, check for evidence when registering addresses also: