justAWanderKid - Malicious User Can Block Other Members of the Same Profile from Interacting with the Ethos Network by Continuously Archiving the Profile Whenever is Restored #250
Malicious User Can Block Other Members of the Same Profile from Interacting with the Ethos Network by Continuously Archiving the Profile Whenever is Restored
If a user decides to act maliciously, they can archive the profile and whenever it is restored by other users, malicious user will archive the profile immediately again by back-running. effectively blocking other users from interacting with the Ethos Network.
This behavior prevents users from being able to add new replies, submitting reviews, creating or restoring attestations, and upvoting or downvoting activity items.
Impact
A malicious user can effectively disable a profile by continuously archiving it, preventing other members from engaging in essential activities on the Ethos Network.
This would block users from submitting reviews, comments, upvotes, downvotes, and creating or restoring attestations.
Such vulnerablity impact the user experience in negative way, as members are unable to contribute to or maintain active profile.
Recommended Mitigation
each profile should have primary user that has administrative powers, including:
only profile admin can archive/restore any activity item.
only profile admin can register/un-register any user.
profile admin can whitelist trusted user, so they are able to call onlyProfileAdmin functions.
justAWanderKid
Medium
Malicious User Can Block Other Members of the Same Profile from Interacting with the Ethos Network by Continuously Archiving the Profile Whenever is Restored
Description
In the current implementation of EthosProfile::archiveProfile() and EthosProfile::restoreProfile(), any user can archive and unarchive the profile.
If a user decides to act maliciously, they can archive the profile and whenever it is restored by other users, malicious user will archive the profile immediately again by back-running. effectively blocking other users from interacting with the Ethos Network.
This behavior prevents users from being able to add new replies, submitting reviews, creating or restoring attestations, and upvoting or downvoting activity items.
Impact
A malicious user can effectively disable a profile by continuously
archiving it, preventing other members from engaging in essential activities on the Ethos Network.This would block users from submitting reviews, comments, upvotes, downvotes, and creating or restoring attestations.
Such vulnerablity impact the user experience in negative way, as members are unable to contribute to or maintain active profile.
Recommended Mitigation
each profile should have
primary userthat has administrative powers, including:archive/restoreany activity item.register/un-registerany user.whitelist trusted user, so they are able to callonlyProfileAdminfunctions.