sakibcy - No check if review exists or not on `editReview` of `EthosReview`

[sherlock-admin2]

sakibcy

Medium

No check if review exists or not on editReview of EthosReview

Summary

EthosReview.sol#L261 It does not check if the review exits or not.\ Example: on EthosDiscussion.sol#L153 the function checks if reply exists or not on EthosDiscussion.sol#L162

Impact

Calling editReview with reviewId which does not exist will cause unintentional behavior.

PoC

On EthosReview.sol#L261 It do not have any check for the existence of review.

  function editReview(
    uint256 reviewId,
    string calldata comment,
    string calldata metadata
  ) external whenNotPaused {
    Review storage review = reviews[reviewId];
    uint256 authorProfileId = _getEthosProfile().verifiedProfileIdForAddress(msg.sender);

    if (review.authorProfileId != authorProfileId) {
      revert UnauthorizedEdit(reviewId);
    }

    if (review.archived) {
      revert ReviewIsArchived(reviewId);
    }

    review.comment = comment;
    review.metadata = metadata;

    emit ReviewEdited(reviewId, msg.sender, review.subject);
  }

Mitigation

• Create a function inside the EthosReview

+  function _doesReviewExist(uint256 reviewId) internal view {
+    if (reviews[reviewId].createdAt == 0) {
+      revert ReviewNotFound(reviewId);
+    }
+  }

• add this function on editReview

  function editReview(
    uint256 reviewId,
    string calldata comment,
    string calldata metadata
  ) external whenNotPaused {
+    _doesReviewExist(reviewId);

    Review storage review = reviews[reviewId];
    uint256 authorProfileId = _getEthosProfile().verifiedProfileIdForAddress(msg.sender);

    if (review.authorProfileId != authorProfileId) {
      revert UnauthorizedEdit(reviewId);
    }

    if (review.archived) {
      revert ReviewIsArchived(reviewId);
    }

    review.comment = comment;
    review.metadata = metadata;

    emit ReviewEdited(reviewId, msg.sender, review.subject);
  }