smbv-1923 - EthosProfile which contains multiple address cannot work with `archiveReview() and `restoreReview()`

[sherlock-admin4]

smbv-1923

Medium

EthosProfile which contains multiple address cannot work with archiveReview() andrestoreReview()`

Summary

EthosProfile which contains multiple address cannot work with archiveReview() andrestoreReview()`

Root Cause

https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L300 https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L321

Internal pre-conditions

• There should be a EthosProfile which contains multiple address in that profile.

External pre-conditions

No response

Attack Path

• Let's understand using an example.
• Let's suppose there is a Ethos Profile which contains 3 addresses AddrA, AddrB, AddrC.
• Lets suppose AddrC added review earlier using addReview() where author is set as msg.sender

  reviews[reviewCount] = Review({
    archived: false,
    score: score,
    authorProfileId: authorProfileId,
    author: msg.sender,
    subject: subject,
    reviewId: reviewCount,
    // solhint-disable-next-line not-rely-on-time
    createdAt: block.timestamp,
    comment: comment,
    metadata: metadata,
    attestationDetails: attestationDetails
  });

• Now AddrC get's compromised and is not part of that Ethos Profile.
• Now other Ethos Profile address can't archiveReview() andrestoreReview()` because of the below check

  if (review.author != msg.sender) {
    revert UnauthorizedArchiving(reviewId);
  }

• In case of account compromises, a profile can unregister an account and mark it as compromised.
• In this case other ethosProfile addresses can't archive and restore the review.
• This is clearly not a design choice as this case is handled properly in another function editReview()

  if (review.authorProfileId != authorProfileId) {
    revert UnauthorizedEdit(reviewId);
  }

Impact

• Other addresses of EthosProfile will not not be able to restore and archive reviews due to msg.sender check.

PoC

No response

Mitigation

• Add a similar check which is their inside editReview()

  if (review.authorProfileId != authorProfileId) {
    revert UnauthorizedEdit(reviewId);
  }