0xBhumii - Unauthorized `Invites` from `Compromised Addresses` Threaten User Credibility in `EthosProfile` Contract

[sherlock-admin3]

0xBhumii

Medium

Unauthorized Invites from Compromised Addresses Threaten User Credibility in EthosProfile Contract

Summary

The missing check in the EthosProfile contract in the function inviteAddress will cause a significant credibility loss for users as compromised addresses will be able to send invites to new users.

Root Cause

In EthosProfile.sol, the inviteAddress function lacks a verification check on the sender's address to ensure it is not compromised, allowing malicious actors to exploit this oversight. https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L208C1-L241C1

Internal pre-conditions

1. A profile must exist for the sender of the invite (the inviter).
2. The sender's address must not be marked as compromised.
3. The sender must have available invites to send.

External pre-conditions

No external protocols or conditions are required for the invite to be sent; the attack can occur independently.

Attack Path

1. An attacker compromises a user’s address within the Ethos Network.
2. The attacker calls the inviteAddress function using the compromised address.
3. The function processes the invite without any restrictions on the sender's compromised status.
4. The invite is successfully sent to a legitimate user, potentially damaging the reputation of the compromised user's profile.

Impact

Legitimate user profiles will be forever tied to the invited accounts which effects their credibility and reputation

PoC

No response

Mitigation

To mitigate this vulnerability, a check should be implemented in the inviteAddress function to ensure that the sender's address is not marked as compromised