Skip to content

Latest commit

 

History

History
53 lines (40 loc) · 2.96 KB

File metadata and controls

53 lines (40 loc) · 2.96 KB

Overt Alabaster Cottonmouth

Medium

Any reduction in unhealthyResponsePeriod via call to updateUnhealthyResponsePeriod() should not affect existing eligible users waiting to exercise markUnhealthy()

Description & Impact

Admin can call updateUnhealthyResponsePeriod() and update unhealthyResponsePeriod, effectively reducing it from 24 hours to say, 20 hours. Any existing author who had called unvouch() for example 22 hours earlier (and hence had another 2 hours in their kitty) will immediately lose the capability to call markUnhealthy().

Proof of Concept

We will modify an existing test and see it pass when run via npm run hardhat -- test --grep "Should revert if CannotMarkVouchAsUnhealthy":

diff --git a/ethos/packages/contracts/test/EthosVouch.test.ts b/ethos/packages/contracts/test/EthosVouch.test.ts
index be4d7f1..90101cd 100644
--- a/ethos/packages/contracts/test/EthosVouch.test.ts
+++ b/ethos/packages/contracts/test/EthosVouch.test.ts
@@ -831,13 +831,13 @@ describe('EthosVouch', () => {
           await expect(ethosVouch.connect(VOUCHER_0).markUnhealthy(11))
             .to.be.revertedWithCustomError(ethosVouch, 'VouchNotFound')
             .withArgs(11);
         });
 
         it('Should revert if CannotMarkVouchAsUnhealthy, unhealthyResponsePeriod has passed', async () => {
-          const { ethosVouch, VOUCHER_0, PROFILE_CREATOR_0, ethosProfile, OWNER } =
+          const { ethosVouch, ADMIN, VOUCHER_0, PROFILE_CREATOR_0, ethosProfile, OWNER } =
             await loadFixture(deployFixture);
 
           await ethosProfile.connect(OWNER).inviteAddress(VOUCHER_0.address);
           await ethosProfile.connect(OWNER).inviteAddress(PROFILE_CREATOR_0.address);
           await ethosProfile.connect(VOUCHER_0).createProfile(1);
           await ethosProfile.connect(PROFILE_CREATOR_0).createProfile(1);
@@ -849,13 +849,14 @@ describe('EthosVouch', () => {
             });
 
           await ethosVouch.connect(VOUCHER_0).unvouch(0);
 
           await time.increase(100);
 
-          await time.increase(await ethosVouch.unhealthyResponsePeriod());
+          await time.increase(time.duration.hours(23));
+          await ethosVouch.connect(ADMIN).updateUnhealthyResponsePeriod(time.duration.hours(22));
 
           await expect(ethosVouch.connect(VOUCHER_0).markUnhealthy(0))
             .to.be.revertedWithCustomError(ethosVouch, 'CannotMarkVouchAsUnhealthy')
             .withArgs(0);
         });
 

Mitigation

When any author calls unvouch(), their deadline for calling markUnhealthy() can be calculated & stored right away and used for verification later on.