The code comments in EthosProfile.sol state that accounts marked as compromised are supposed to be prohibited from certain actions, however no such limitations exist in the system.
// Keeps track of addresses that are compromised, preventing certain actions from being taken by these addresses.
mapping(address => bool) public isAddressCompromised;
durov
High
Compromised accounts can use the profile freely
Summary
The code comments in EthosProfile.sol state that accounts marked as compromised are supposed to be prohibited from certain actions, however no such limitations exist in the system.
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L60-L61
Root Cause
There is no logic in the code that would prevent compromised accounts from interacting with the protocol.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Compromised accounts have no restrictions in using the profile in any of the contracts.
PoC
No response
Mitigation
Implement checks in contracts to prevent a compromised account from interactions.