0xBhumii - Unauthorized `Attestations` Allowed for Archived Profiles in `EthosAttestation` Contract

[sherlock-admin3]

0xBhumii

Medium

Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract

Summary

The missing validation of profile activity status(archived) in createAttestation will cause unauthorized attestations for archived profiles as an attacker can exploit this flaw to create or claim attestations under archived profiles.

Root Cause

In EthosAttestation, the contract lacks a check for the profile’s active status in the createAttestation function: the function checks for profile existence but does not verify if the profile is archived https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L184C1-L261C1.

Internal pre-conditions

1. The profileId must exist within the EthosProfile contract.
2. The attestation’s hashStr should not already be active (i.e., should be archived).
3. The caller must have a valid signature for the attestation.

External pre-conditions

none

Attack Path

No response

Impact

The affected protocol suffers from unauthorized attestations under archived profiles, potentially damaging the integrity of the Ethos identity system. An attacker could associate false or outdated information with archived profiles, compromising the credibility of the profile data.

PoC

No response

Mitigation

Add a check for the profile’s active status in createAttestation to ensure that only active profiles can create attestation