Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PNS - A compromised address does not lose any ability to perform actions on behalf of the profile #301

Open
sherlock-admin2 opened this issue Nov 4, 2024 · 0 comments
Open

PNS - A compromised address does not lose any ability to perform actions on behalf of the profile #301

sherlock-admin2 opened this issue Nov 4, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Nov 4, 2024
edited by sherlock-admin4
Loading

PNS

Medium

A compromised address does not lose any ability to perform actions on behalf of the profile

Summary

The system has a mechanism for marking addresses as compromised to mark addresses that should not have access to actions on behalf of the profile. Unfortunately, this mechanism has no power, it does not limit anything.

Root Cause

First-class citizen in the system is a profile. A profile can have multiple addresses attached that can act on its behalf. If any of the addresses should be deprived of the ability to run the profile, it is removed from it by marking it as compromised.

Unfortunately, this mechanism has no effect on access to functions and acting on behalf of the profile.

Authorization for most functions in the system is based on checking whether a given address belongs to the profile. The problem is that once an address is attached to a profile, it always remains so, and access restriction is based on marking it as compromised and placing it on the list of removed addresses. However, this data is not checked when checking access to individual functions in the system.

Example of checking whether an address belongs to a profile:

    bool senderBelongsToProfile = IEthosProfile(ethosProfile).addressBelongsToProfile( //audit
      msg.sender,
      profileId
    );

Another example would be the lack of verification when sending an invitation:

File: ethos/packages/contracts/contracts/EthosProfile.sol
  211:     (bool verified, bool archived, bool mock, uint256 profileId) = profileStatusByAddress(
  212:       msg.sender
  213:     );

EthosProfile.inviteAddress

Internal pre-conditions

  • profile adds new address
  • profile removes address marking it as compromised

External pre-conditions

No response

Attack Path

  • the malicious address adds negative reviews to all large profiles in the ethos network, ruining their reputation
  • in return, the profile receives negative reviews
  • the profile loses its scoring due to the actions of the compromised address

Impact

  • An unauthorized address can act on behalf of the profile, write negative and positive reviews, archive and add attestations, and act to the detriment of the profile, e.g. by damaging its reputation.
  • There is no way to block a compromised address.

PoC

No response

Mitigation

In functions that require authorization, in addition to checking whether the address belongs to the profile, you should also check whether it is not on a compromised list.
@sherlock-admin4 sherlock-admin4 changed the title Passive Mahogany Porpoise - A compromised address does not lose any ability to perform actions on behalf of the profile PNS - A compromised address does not lose any ability to perform actions on behalf of the profile Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2