Spicy Nylon Cormorant
Medium
When reviews are added it is made sure that the profile of the caller is not the same as the profile of the subject/attestation. However, in the case of attestations, this validation can be bypassed.
In the _validateReviewDetails
it is made sure that self-reviews are not possible. However, in the case of attestations, a user will be able to create a review for an existing attestation right before they claim it, through the createAttestation
function. This will allow them to bypass the validation, creating self-reviews.
No response
No response
- A user is about to claim an existing attestation for their profile.
- Right before they claim it they create multiple positive reviews on that attestation.
- They claim the attestation that has multiple unfair reviews.
Users can self-review, which should not be allowed by the protocol.
No response
The fix is non-trivial.