Skip to content

Latest commit

 

History

History
41 lines (21 loc) · 1.51 KB

036.md

File metadata and controls

41 lines (21 loc) · 1.51 KB
Raw

Winning Strawberry Salmon

High

The Profile do not have right to close and reopen review even the author has been removed.

Summary

The ability to close and open review can only be called by the address that published the comment due to the following checks, which is inconsistent with the permissions of editReview.Even if the author has been removed from the profile, the profile still cannot close or reopen the Review.

Root Cause

https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L300

Internal pre-conditions

None

External pre-conditions

None

Attack Path

  1. An author who has published a review has been removed from the profile.

  2. The author can still close and reopen their review, impacting the profile's reputation assessment.

Impact

  1. There is a permission inconsistency; the edit permissions for a review are granted to all addresses of the profile, while the permissions to close and delete can only be executed by the address of the review's author.

  2. Addresses that have been removed from the profile can still open and close reviews, which impacts the reputation system of the profile.

PoC

No response

Mitigation

I recommend transferring the permissions to close and open reviews to the profile instead of the author. If the current situation is maintained, consider revoking the permissions to close and open reviews from an address when it is removed and transferring those permissions to the profile.