past reviews will be lost when attestation claim for another profile
Summary
past reviews woulldn't migrate to new profile id when an attestation claim for another profile id even this problem exists for subject addresses in addReview function
Root Cause
when users want to submit a review for a attestation or for a subject address if there isn't a profile for that address or that attestation a new mock profile will be created for that and after that every review will be pushed to reviewIdsBySubjectProfileId in EthosReview and if a user want to create attestation based on that account and service or a user want to register subject address, new profile id will be assigned to that ,its mean reviewIdsBySubjectProfileId for new profile id which will be assigned to attestion is empty and in result there isn't any review for that attestation or subject address
old reviews will be lost when attestation claim for new profile id or signer address migrate to real profile id instead of mock profile id
PoC
Textual PoC:
1-Alice submit a review for user a1 in service s1
2-mock profile id 2 will be assigned to that
3-and Alice's review will be pushed to reviewIdsBySubjectProfileId[2]
4-Bob which is owner of account a1 create a new attestation for account a1 in service s1
5-profile id 3 will be assigned to attestation
6-reviewIdsBySubjectProfileId for profile id 3 is empty while Alice submited a review for that
Mitigation
its better reviewIdsBySubjectProfileId's key be attestion hash instead of profile id
pashap9990
High
past reviews will be lost when attestation claim for another profile
Summary
past reviews woulldn't migrate to new profile id when an attestation claim for another profile id even this problem exists for subject addresses in addReview function
Root Cause
when users want to submit a review for a attestation or for a subject address if there isn't a profile for that address or that attestation a new mock profile will be created for that and after that every review will be pushed to reviewIdsBySubjectProfileId in EthosReview and if a user want to create attestation based on that account and service or a user want to register subject address, new profile id will be assigned to that ,its mean reviewIdsBySubjectProfileId for new profile id which will be assigned to attestion is empty and in result there isn't any review for that attestation or subject address
Code Snippet
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L248
Impact
old reviews will be lost when attestation claim for new profile id or signer address migrate to real profile id instead of mock profile id
PoC
Textual PoC: 1-Alice submit a review for user a1 in service s1 2-mock profile id 2 will be assigned to that 3-and Alice's review will be pushed to reviewIdsBySubjectProfileId[2] 4-Bob which is owner of account a1 create a new attestation for account a1 in service s1 5-profile id 3 will be assigned to attestation 6-reviewIdsBySubjectProfileId for profile id 3 is empty while Alice submited a review for that
Mitigation
its better reviewIdsBySubjectProfileId's key be attestion hash instead of profile id