Skip to content

Latest commit

 

History

History
41 lines (23 loc) · 1.97 KB

File metadata and controls

41 lines (23 loc) · 1.97 KB

Calm Fiery Llama

Medium

Users can vouch for a short period of time to grief other users and steal the vouchersPoolFee of every call to add or increase a vouch during that period

Summary

A missing check to reward only vouches that have been active for a specific amount of time will cause users to lose their rightful share of the vouchersPoolFee, as any user can vouch for only a short period of time as soon as they get information about when a vouch is going to be added. Therefore, users can steal the vouchersPoolFee applied to any call to EthosVouch::vouchByAddress(), EthosVouch::vouchByProfileId() or EthosVouch::increaseVouch().

Root Cause

In EthosVouch.sol:721 every vouch that is currently active for the same subject, regardless of how long it has been active, receives a share of the vouchersPoolFee.

Internal pre-conditions

  1. entryVouchersPoolFeeBasisPoints must be greater than 0.

External pre-conditions

None.

Attack Path

  1. Alice receives information about when Bob wants to vouch.
  2. Alice calls EthosVouch::vouchByAddress() to vouch for that address.
  3. Bob calls EthosVouch::vouchByAddress() to add his vouch.
  4. Alice steals a share of the vouchersPoolFee from other users even though she has only vouched for a brief period of time.
  5. Alice calls EthosVouch::unvouch() to remove her vouch.

Impact

Users who vouched for the same subject could lose a significant portion of their deserved share of the vouchersPoolFee every time the reward is distributed. Even though this might not be profitable for the users stealing the funds, they will still cause other non-malicious users to lose funds.

PoC

No response

Mitigation

Consider adding a threshold for how long a user must be vouched for in order to receive a share of the vouchersPoolFee.