Skip to content

Latest commit

 

History

History
98 lines (67 loc) · 3.4 KB

087.md

File metadata and controls

98 lines (67 loc) · 3.4 KB

Formal Charcoal Beaver

High

Archived profile or deleted address can still archive reviews.

Summary

The EthosReview::archiveReview() function doesn't verify if the profile is archived or msg.sender is deleted from the author profile. Exploiting this vulnerability, archived profile or deleted address can still archive reviews it has previously added. This can influence the credibility score of the reviewed profiles.

Root Cause

The EthosReview::archiveReview() function is following.

  function archiveReview(uint256 reviewId) external whenNotPaused {
    (bool exists, ) = targetExistsAndAllowedForId(reviewId);

    if (!exists) {
      revert ReviewNotFound(reviewId);
    }

    Review storage review = reviews[reviewId];

    if (review.archived) {
      revert ReviewIsArchived(reviewId);
    }

@>  if (review.author != msg.sender) {
      revert UnauthorizedArchiving(reviewId);
    }

    review.archived = true;

    emit ReviewArchived(reviewId, msg.sender, review.subject);
  }

As seen, the function only requires msg.sender == review.author but doesn't verify whether the author profile is archived or msg.sender is deleted from the author profile. As a result, an archived profile or deleted address can still archive reviews it has previously added.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. profile1 added several reviews.
  2. The user archive the profile1 or deleted addr1 from profile1.
  3. However, profile1 or addr1 can still archive all reviews previously added by it.
  4. The credibility scores of the profiles associated with archived reviews will be influenced.

Impact

Broken core functionality, as archived profile or deleted address can still archive reviews. Furthermore, reviews influence the credibility score as per Ethos docs:

Reviews influence the credibility score. The extent to which they adjust the score depends on the credibility consensus.

  • Reviews may be normalized per reviewer; someone who only leaves positive reviews may have less impact. Same for someone only leaves negative reviews
  • The age and volume of reviews

As a result, if an archived profile or deleted address archives reviews, it will influence all profiles reviewed by it. That is, the credibility scores of the reviewed profiles will be manipulated by the archived profile or deleted address. The fact was verified by sponsor in private thread.

PoC

No response

Mitigation

Modify EthosReview::archiveReview() function as follows.

  function archiveReview(uint256 reviewId) external whenNotPaused {
    (bool exists, ) = targetExistsAndAllowedForId(reviewId);

    if (!exists) {
      revert ReviewNotFound(reviewId);
    }

    Review storage review = reviews[reviewId];

    if (review.archived) {
      revert ReviewIsArchived(reviewId);
    }

    if (review.author != msg.sender) {
      revert UnauthorizedArchiving(reviewId);
    }
+   uint256 authorProfileId = _getEthosProfile().verifiedProfileIdForAddress(msg.sender);
+
+   if (review.authorProfileId != authorProfileId) {
+     revert UnauthorizedEdit(reviewId);
+   }

    review.archived = true;

    emit ReviewArchived(reviewId, msg.sender, review.subject);
  }