s0x0mtee - Deleted(Compromised) addresses can still uninvite users.

[sherlock-admin2]

s0x0mtee

Medium

Deleted(Compromised) addresses can still uninvite users.

Summary

uninviteUser() does not check if the caller has been labelled as compromised, hence an address deleted from a profile would still pass all the present checks in the function and successfully uninvite a user.

Root Cause

• uninviteUser() is under-constrained https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L258-L280

Internal pre-conditions

1. deletedAddress(compromised address) has to have been registered to the profile then deleted
2. the unInvite address needs to have been invited.
3. Compromised addresses can only uninvite, invitees of the same profile.

External pre-conditions

1. Invitee has not accepted the invitation yet.

Attack Path

1. Compromised/deleted address calls uninviteUser()

Impact

• Ethos suffers a drop in user adoption rate of their protocol.

PoC

No response

Mitigation

No response