Skip to content

Latest commit

 

History

History
99 lines (69 loc) · 2.95 KB

071.md

File metadata and controls

99 lines (69 loc) · 2.95 KB

Dry Bubblegum Sheep

High

Incorrect handling of payments Making it impossible to pay Review Price

Summary

When adding a review a user pays a protocol fee that is set by the admin team using the set paymentToken. There is a problem on the way the _handlePayment function handles payment for reviews, it does a checks below:

function _handlePayment(address paymentToken) private onlyValidPaymentToken(paymentToken) {
    uint256 price = reviewPrice[paymentToken].price;

    if (price > 0) {
        if (paymentToken == address(0)) {
           if (msg.value != price) {
            revert WrongPaymentAmount(paymentToken, msg.value);
         }
      } else {
        if (msg.value > 0) {

          revert WrongPaymentAmount(address(0), msg.value);
        }

        IERC20(paymentToken).transferFrom(msg.sender, address(this), price);
      }
    }
  }

At first it checks if price > 0, then if msg.value ain't equal to price it will revert and move to the else block which will also revert if msg.value > 0. This means that payments will not be handled when price is more than 0. This will make the protocol unable to receive deposits. https://github.com/sherlock-audit/2024-10-ethos-network/blob/db37b9dc2b792e245eb683d8a956bcb7ef2f1a27/ethos/packages/contracts/contracts/EthosReview.sol#L478-L494

Root Cause

Using the wrong check on msg.value as shown below

if (msg.value > 0) {
    revert WrongPaymentAmount(address(0),msg.value);
}

Internal pre-conditions

The price of creating a review should be more than 0

External pre-conditions

User wants to pay for the review using the payment tokens' set price

Attack Path

  1. Admin sets review price to 2USDT where USDT is the payment token.
  2. Bob a user who has an EthosProfile wants to add a review to Alices' user address(subject)
  3. The _handlePayment internal function will be called with the address of the PaymentToken..
  4. On Bob paying the 2USDT the transaction will revert because of the check below where by msg.value should not be more than 0.
         if (msg.value > 0) {
             revert WrongPaymentAmount(address(0), msg.value);
        }

With this the protocol won't be able to receive the review fees amount

Impact

  • Protocol will not be able to correct review fees because it'll be impossible to pay price more than 0

PoC

No response

Mitigation

    function _handlePayment(address paymentToken) private onlyValidPaymentToken(paymentToken) {
    uint256 price = reviewPrice[paymentToken].price;

    if (price > 0) {
        if (paymentToken == address(0)) {
           if (msg.value != price) {
            revert WrongPaymentAmount(paymentToken, msg.value);
         }
      } else {
--      if (msg.value > 0) {
++      if (msg.value <= 0) {

          revert WrongPaymentAmount(address(0), msg.value);
        }

        IERC20(paymentToken).transferFrom(msg.sender, address(this), price);
      }
    }
  }