Bulk Invites May Cause Transaction Reverts in EthosProfile Contract
Summary
The current implementation of the bulkInviteAddresses function in the EthosProfile contract will cause a complete transaction revert if any single invite fails, affecting all subsequent invites in the list.
Each invitee must either not exist or be a mock profile.
External pre-conditions
none
Attack Path
A user attempts to invite multiple addresses in a single transaction using the bulkInviteAddresses function.
The function iterates over the invitees array, calling inviteAddress for each address.
If any single call to inviteAddress reverts (e.g., due to an invalid state), the entire transaction is reverted, resulting in no invites being processed.
Impact
The user suffers the inability to send any invites if even one invite fails, leading to potential frustration and inefficiency. This design flaw may result in legitimate users missing opportunities to invite others, negatively affecting the network's growth and engagement.
PoC
No response
Mitigation
To enhance the bulkInviteAddresses function, consider implementing a mechanism that allows individual invite failures to be logged while continuing with subsequent invites. This can be achieved by using a try/catch pattern or similar approach to catch and handle errors for each invite. Here’s a suggested implementation
function bulkInviteAddresses(address[] calldata invitees) external whenNotPaused {
for (uint256 i = 0; i < invitees.length; i++) {
try this.inviteAddress(invitees[i]) {
// Invite processed successfully
} catch {
// Log or handle the failure without reverting the entire transaction
continue; // Proceed to the next invite
}
}
}
By implementing this change, the contract will allow successful invites to be processed even if some invites fail, improving user experience and network engagement.
0xBhumii
Medium
Bulk InvitesMay Cause Transaction Reverts inEthosProfileContractSummary
The current implementation of the
bulkInviteAddressesfunction in theEthosProfilecontract will cause a complete transaction revert if any single invite fails, affecting all subsequent invites in the list.Root Cause
In
EthosProfile.sol, thebulkInviteAddressesfunction calls theinviteAddressfunction in a loop without handling reverts for individual invites. If an invite fails (e.g., due to the invitee being a compromised address or an invalid sender), the entire transaction is reverted, preventing successful invites from being processed. https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L248C3-L253C1Internal pre-conditions
External pre-conditions
none
Attack Path
Impact
The user suffers the inability to send any invites if even one invite fails, leading to potential frustration and inefficiency. This design flaw may result in legitimate users missing opportunities to invite others, negatively affecting the network's growth and engagement.
PoC
No response
Mitigation
To enhance the
bulkInviteAddressesfunction, consider implementing a mechanism that allows individual invite failures to be logged while continuing with subsequent invites. This can be achieved by using a try/catch pattern or similar approach to catch and handle errors for each invite. Here’s a suggested implementationBy implementing this change, the contract will allow successful invites to be processed even if some invites fail, improving user experience and network engagement.