Energetic Honeysuckle Leopard - Insufficient Caller verification in EthosVouch::claimRewards() Allows Unauthorized Reward Claims by Compromised or deleted Addresses

[sherlock-admin2]

Energetic Honeysuckle Leopard

High

Insufficient Caller verification in EthosVouch::claimRewards() Allows Unauthorized Reward Claims by Compromised or deleted Addresses

Summary

No response

Root Cause

The claimRewards function in the EthosVouch contract is intended to allow users to claim rewards associated with their profile.

  function claimRewards() external whenNotPaused nonReentrant {
    (bool verified, , bool mock, uint256 callerProfileId) = IEthosProfile(
      contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
    ).profileStatusByAddress(msg.sender);//@check - does not check for compromised address

    // Only check that this is a real profile (not mock) and was verified at some point
    if (!verified || mock) {
      revert ProfileNotFoundForAddress(msg.sender);
    }

    uint256 amount = rewards[callerProfileId];
    if (amount == 0) revert InsufficientRewardsBalance();

    rewards[callerProfileId] = 0;
    (bool success, ) = msg.sender.call{ value: amount }("");
    if (!success) revert FeeTransferFailed("Rewards claim failed");

    emit WithdrawnFromRewards(callerProfileId, amount);
  }

However here , the function currently relies on the profileStatusByAddress method from the EthosProfile contract to validate the caller.

/**
   * @dev Returns the status of a profile by its associated address.
   * @notice This does not check if the address has been removed from the profile.
   * It will return the profileId even if the address has been removed.
   * @param addressStr The address to check.
   * @return verified Whether the profile is verified.
   * @return archived Whether the profile is archived.
   * @return mock Whether the profile is a mock profile.
   * @return profileId The ID of the profile associated with the address.
   */
  function profileStatusByAddress(
    address addressStr
  ) public view returns (bool verified, bool archived, bool mock, uint256 profileId) {
    profileId = profileIdByAddress[addressStr];
    (verified, archived, mock) = profileStatusById(profileId);
  }

as mentioned in the comments this function does not check if the address has been removed from the profile, It will return the profileId even if the address has been removed.

 function claimRewards() external whenNotPaused nonReentrant {
 ...............
 ..............
 // Only check that this is a real profile (not mock) and was verified at some point
    if (!verified || mock) {
      revert ProfileNotFoundForAddress(msg.sender);
    }

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L667

now in claimrewards() function it checks if the profile is verified and not a mock but does not verify if the address is compromised or has been removed from the profile

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

• Compromised Address: An address associated with a profile is compromised and it has been removed in the ehtosProfile.
• Attempt to Claim Rewards: The compromised address calls the claimRewards function.
• Insufficient Validation: The function checks if the profile is verified and not a mock but does not check if the address is compromised.
• Rewards Claimed: The compromised address successfully claims the rewards, potentially leading to unauthorized access to funds.

Impact

compromised address claims all the rewards

PoC

No response

Mitigation

verify the caller is not a compromised or removed address