search

sherlock-audit / 2024-10-ethos-network-judging

0 stars 0 forks source link

Kyosi - Lack of Profile Status Check During Attestation Archiving #45

Open sherlock-admin4 opened 2 weeks ago

sherlock-admin4 commented 2 weeks ago

Kyosi

Medium

Lack of Profile Status Check During Attestation Archiving

Summary

The EthosAttestation::archiveAttestation function allows users to archive their attestations without verifying if the associated profile is in an archived state. This oversight allows profiles in an archived state to continue interacting with attestations, potentially causing data inconsistency and unauthorized state changes.

https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L341-L351

Root Cause

The EthosAttestation::archiveAttestation function fails to verify if the profile linked to the attestation is currently archived. This missing check permits profiles marked as archived to alter their attestations, contradicting the intended immutability of archived profiles.

Internal pre-conditions

  1. The protocol treats archived profiles as inactive, restricting them from state-changing operations.
  2. Attestations associated with profiles should not be archivable if the profile itself is archived.

External pre-conditions

  1. The profile must be in an archived state.
  2. The user, as part of the profile, must attempt to archive an attestation associated with this profile.

Attack Path

  1. A user linked to an archived profile calls EthosAttestation::archiveAttestation.
  2. The function skips the profile status check, allowing the archived profile to mutate attestation data and mark it as archived.

Impact

Allowing archived profiles to perform state-changing actions undermines the contract’s access control and data integrity. This issue can result in unauthorized operations by inactive profiles, potentially leading to confusion, data inconsistency, and reputation impact.

PoC

No response

Mitigation

Add a check in archiveAttestation to verify the profile’s archived status before proceeding. If the profile is archived, the function should revert with an appropriate error message.

    address ethosProfile = _getEthosProfile();
    (, bool isArchived) = IEthosProfile(ethosProfile).profileExistsAndArchivedForId(profileId);
    if (isArchived) {
      revert ProfileNotFound(profileId);
    }
sherlock-admin2 commented 1 week ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/trust-ethos/ethos/pull/1872