self review is possible if a user review an attestation before claiming it .
Summary
in EthosReview contract, a user can add a review on an attestation by calling addReview() with subject == address(0) along with the account and service details included in attestationDetails . However, to ensure that the user is not reviewing himself there is a check that the profile linked to this attestation != the profile of the user submitted the review if so the call will revert .
The issue is that a user can review his own attestation before creating it (or claiming it), so profileId retrieved from EthosProfile will be zero and the check will pass successfully . The user can after that claim his attestation and benefit from the positive reviews he added to himself and
Root Cause
No response
Internal pre-conditions
Attestation is not linked to the user profile .
External pre-conditions
No response
Attack Path
user review his attestation .
after that he claims it ;
Impact
This can mislead public opinion on a user, people will assert he is trustworthy while he is not .
PoC
No response
Mitigation
after an attestation is claimed, make sure to remove all reviews on this attestation where author profile == subject profile .
noromeb
Medium
self review is possible if a user review an attestation before claiming it .
Summary
in EthosReview contract, a user can add a review on an attestation by calling
addReview()withsubject == address(0)along with the account and service details included inattestationDetails. However, to ensure that the user is not reviewing himself there is a check thatthe profile linked to this attestation != the profile of the user submitted the reviewif so the call will revert . The issue is that a user can review his own attestation before creating it (or claiming it), soprofileIdretrieved from EthosProfile will be zero and the check will pass successfully . The user can after that claim his attestation and benefit from the positive reviews he added to himself andRoot Cause
No response
Internal pre-conditions
External pre-conditions
No response
Attack Path
Impact
This can mislead public opinion on a user, people will assert he is trustworthy while he is not .
PoC
No response
Mitigation
after an attestation is claimed, make sure to remove all reviews on this attestation where
author profile == subject profile.