Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0xBhumii - Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract #305

Open
sherlock-admin3 opened this issue Nov 4, 2024 · 0 comments
Open

0xBhumii - Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract #305

sherlock-admin3 opened this issue Nov 4, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Nov 4, 2024
edited by sherlock-admin4
Loading

0xBhumii

Medium

Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract

Summary

The missing validation of profile activity status(archived) in createAttestation will cause unauthorized attestations for archived profiles as an attacker can exploit this flaw to create or claim attestations under archived profiles.

Root Cause

In EthosAttestation, the contract lacks a check for the profile’s active status in the createAttestation function:
the function checks for profile existence but does not verify if the profile is archived
https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosAttestation.sol#L184C1-L261C1.

Internal pre-conditions

  1. The profileId must exist within the EthosProfile contract.
  2. The attestation’s hashStr should not already be active (i.e., should be archived).
  3. The caller must have a valid signature for the attestation.

External pre-conditions

none

Attack Path

No response

Impact

The affected protocol suffers from unauthorized attestations under archived profiles, potentially damaging the integrity of the Ethos identity system. An attacker could associate false or outdated information with archived profiles, compromising the credibility of the profile data.

PoC

No response

Mitigation

Add a check for the profile’s active status in createAttestation to ensure that only active profiles can create attestation
@sherlock-admin4 sherlock-admin4 changed the title Silly Grape Bear - Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract 0xBhumii - Unauthorized Attestations Allowed for Archived Profiles in EthosAttestation Contract Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3