Skip to content

Latest commit

 

History

History
39 lines (21 loc) · 1.21 KB

File metadata and controls

39 lines (21 loc) · 1.21 KB

Spicy Nylon Cormorant

Medium

Self-reviews on attestations can be performed

Summary

When reviews are added it is made sure that the profile of the caller is not the same as the profile of the subject/attestation. However, in the case of attestations, this validation can be bypassed.

Root Cause

In the _validateReviewDetails it is made sure that self-reviews are not possible. However, in the case of attestations, a user will be able to create a review for an existing attestation right before they claim it, through the createAttestation function. This will allow them to bypass the validation, creating self-reviews.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. A user is about to claim an existing attestation for their profile.
  2. Right before they claim it they create multiple positive reviews on that attestation.
  3. They claim the attestation that has multiple unfair reviews.

Impact

Users can self-review, which should not be allowed by the protocol.

PoC

No response

Mitigation

The fix is non-trivial.