Skip to content

Latest commit

 

History

History
89 lines (71 loc) · 3.15 KB

File metadata and controls

89 lines (71 loc) · 3.15 KB

Colossal Chiffon Urchin

Medium

User can vouch for an archived profile

Summary

increaseVouch allows to increase power of archived account.

Root Cause

According to docs in code

  • Author cannot vouch for an archived profile

EthosVouch.sol#L32

inside vouchByProfileId there is a check that subject's profile is not archived, but there is none in increaseVouch, which allows to first create vouch-> archive account->increase account's power in archived state, which violates invariant in the beginning of contract

  function vouchByProfileId(
    uint256 subjectProfileId,
    string calldata comment,
    string calldata metadata
  ) public payable whenNotPaused nonReentrant {
...
    (bool verified, bool archived, bool mock) = IEthosProfile(
      contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
    ).profileStatusById(subjectProfileId);

    // you may not vouch for archived profiles
    // however, you may vouch for verified AND mock profiles
    // we allow vouching for mock profiles in case they are later verified
    if (archived || (!mock && !verified)) {
      revert InvalidEthosProfileForVouch(subjectProfileId);
    }
...
  }

contracts/EthosVouch.sol#L330

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Archived account's power can be increased which breaks protocol's invariant

PoC

No response

Mitigation

Send it to the subject reward escrow like its done with dust at the end of the function

 function increaseVouch(uint256 vouchId) public payable nonReentrant {
    // vouch increases much also meet the minimum vouch amount
    if (msg.value < configuredMinimumVouchAmount) {
      revert MinimumVouchAmount(configuredMinimumVouchAmount);
    }
+      (bool verified, bool archived, bool mock) = IEthosProfile(
+          contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
+      ).profileStatusById(vouches[vouchId].subjectProfileId);
+
+      // you may not vouch for archived profiles
+      // however, you may vouch for verified AND mock profiles
+      // we allow vouching for mock profiles in case they are later verified
+      if (archived || (!mock && !verified)) {
+          revert InvalidEthosProfileForVouch(vouches[vouchId].subjectProfileId);
+      }
      
    // get the profile id of the author
    uint256 profileId = IEthosProfile(
      contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
    ).verifiedProfileIdForAddress(msg.sender);
    _vouchShouldBelongToAuthor(vouchId, profileId);
    // make sure this vouch is active; not unvouched
    _vouchShouldBePossibleUnvouch(vouchId);

    uint256 subjectProfileId = vouches[vouchId].subjectProfileId;
    (uint256 toDeposit, ) = applyFees(msg.value, true, subjectProfileId);
    vouches[vouchId].balance += toDeposit;

    emit VouchIncreased(vouchId, profileId, subjectProfileId, msg.value);
  }