search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

Proud Frost Alligator - Lack of delete or compromised functionality for attestations can be exploited #288

Open sherlock-admin4 opened 1 week ago

sherlock-admin4 commented 1 week ago

Proud Frost Alligator

Medium

Lack of delete or compromised functionality for attestations can be exploited

Summary

Unlike the delete address and compromised address functionalities for addresses, attestations cannot be deleted or set as compromised, this can be exploited if an external attested account of a user has been compromised/hacked , it will still be attached to the users profile and malicious activities done through that account will still be linked to the user profile and will destroy the reputation of the user.

Root Cause

In 'EthosProfile.sol' there are explicit methods in which if an address is compromised the user can delete the address and mark it as compromised:

 function deleteAddressAtIndex(uint256 addressIndex) external whenNotPaused {
    uint256 profileId = profileIdByAddress[msg.sender];
    (bool verified, bool archived, bool mock) = profileStatusById(profileId);
    if (!verified) {
      revert ProfileNotFoundForAddress(msg.sender);
    }
    if (archived || mock) {
      revert ProfileAccess(profileId, "Profile is archived");
    }

    address[] storage addresses = profiles[profileId].addresses;
    address[] storage removedAddresses = profiles[profileId].removedAddresses;
    if (addresses.length <= addressIndex) {
      revert InvalidIndex();
    }

    address addressStr = addresses[addressIndex];
    isAddressCompromised[addressStr] = true;
    _addressShouldDifferFromSender(addressStr);

    _deleteAddressAtIndexFromArray(addressIndex, addresses, removedAddresses);

    emit AddressClaim(profileId, addressStr, AddressClaimStatus.Unclaimed);
  }

Repo Link But in 'EthosAttestation.sol' there is no method to delete or mark an attestation compromised. This can be exploited if an external attested account of a user has been compromised/hacked.

Impact

The compromised external account of the user will still be linked to the user profile and malicious activities through that account will still be linked to the user profile and this will destroy the reputation and credibility score of the user.

Mitigation

Implement proper deleteAttestation function that will delete the attestation from the user profile and mark it as compromised.