search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

LeFy - Lack of proper validations in EthosDiscussion.sol lets a compromised address to add malicious replys on user's behalf #297

Open sherlock-admin4 opened 2 weeks ago

sherlock-admin4 commented 2 weeks ago

LeFy

Medium

Lack of proper validations in EthosDiscussion.sol lets a compromised address to add malicious replys on user's behalf

Summary

In 'EthosDiscussion.sol', no proper validation is done to ensure that the address that add the reply is not a compromised address of the user.

Root Cause

In 'EthosDiscussion.sol', addReply() function is used to add reply to any activity in Ethos.

 function addReply(
    address targetContract,
    uint256 targetId,
    string memory content,
    string memory metadata
  ) external onlyNonZeroAddress(targetContract) whenNotPaused {
    uint256 authorID = IEthosProfile(
      contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
    ).verifiedProfileIdForAddress(msg.sender);

    bool isTargetThisContract = _isAddressThisContract(targetContract);

    if (isTargetThisContract) {
      if (replies[targetId].createdAt == 0) {
        revert TargetNotFound(targetContract, targetId);
      }
    } else {
      _checkIfTargetExistsAndAllowed(targetContract, targetId);
    }

    uint256 _replyCount = replyCount;

    directReplyIdsByTargetAddressAndTargetId[targetContract][targetId].push(_replyCount);
    replyIdsByAuthor[authorID].push(_replyCount);

    replies[_replyCount] = Reply(
      !isTargetThisContract,
      targetContract,
      authorID,
      _replyCount,
      targetId,
      block.timestamp,
      0,
      content,
      metadata
    );

    emit ReplyAdded(authorID, targetContract, _replyCount);

    replyCount++;
  }

Repo Link

Even though it has no direct link to credibility score calculation , it can be used to leave a bad reputation if the user acts maliciously in discussions. So if an address is compromised/hacked , this address can still add malicious replies and that will be added on behalf of the user profile and that can affect the user's reputation

Impact

Compromised/hacked address can still add malicious replies and that will be added on behalf of the user profile

Mitigation

In addReply() add proper validation to ensure that msg.sender is not a compromised address:

 function addReply(
    address targetContract,
    uint256 targetId,
    string memory content,
    string memory metadata
  ) external onlyNonZeroAddress(targetContract) whenNotPaused {
    uint256 authorID = IEthosProfile(
      contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
    ).verifiedProfileIdForAddress(msg.sender);

    if(IEthosProfile(ethosProfile).isAddressCompromised[msg.sender])
    revert CompromisedAddress(msg.sender);

    bool isTargetThisContract = _isAddressThisContract(targetContract);

    if (isTargetThisContract) {
      if (replies[targetId].createdAt == 0) {
        revert TargetNotFound(targetContract, targetId);
      }
    } else {
      _checkIfTargetExistsAndAllowed(targetContract, targetId);
    }

    uint256 _replyCount = replyCount;

    directReplyIdsByTargetAddressAndTargetId[targetContract][targetId].push(_replyCount);
    replyIdsByAuthor[authorID].push(_replyCount);

    replies[_replyCount] = Reply(
      !isTargetThisContract,
      targetContract,
      authorID,
      _replyCount,
      targetId,
      block.timestamp,
      0,
      content,
      metadata
    );

    emit ReplyAdded(authorID, targetContract, _replyCount);

    replyCount++;
  }