Skip to content

Latest commit

 

History

History
80 lines (55 loc) · 2.97 KB

032.md

File metadata and controls

80 lines (55 loc) · 2.97 KB
Raw

Slow Tan Swallow

High

Creators can take advantage of their first vouchers

Summary

Creators (users who are vouched for) can take advantage of their first vouchers by manipulating the weights/balances of themselves using another account controlled by them. That is applyFees will never take a vouchersPoolFee for the first voucher,

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L697-L717

  function _rewardPreviousVouchers(uint256 amount, uint256 subjectProfileId) internal returns (uint256 amountDistributed) {
    uint256[] storage vouchIds = vouchIdsForSubjectProfileId[subjectProfileId];
    uint256 totalVouches = vouchIds.length;

    uint256 totalBalance;
    for (uint256 i = 0; i < totalVouches; i++) {
      Vouch storage vouch = vouches[vouchIds[i]];
      if (!vouch.archived) {
        totalBalance += vouch.balance;
      }
    }

    if (totalBalance == 0) {
      return totalBalance;
    }

but it will for the rest, and more importantly if you are first, you are gonna get 100% of the fee, no matter your vouch (can be the min 0.0001 eth -> 0.40 USD).

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L719-L731

    uint256 remainingRewards = amount;
    for (uint256 i = 0; i < totalVouches && remainingRewards > 0; i++) {
      Vouch storage vouch = vouches[vouchIds[i]];
      if (!vouch.archived) {
        // If only one you receive 100% of the fee, no matter your vouch balance
        uint256 reward = amount.mulDiv(vouch.balance, totalBalance, Math.Rounding.Floor);
        if (reward > 0) {
          vouch.balance += reward;
          remainingRewards -= reward;
        }
      }
    }

Root Cause

How _rewardPreviousVouchers distributes the fee. Creators being able to receive 100% of the fee while holding little to no amount.

Internal pre-conditions

  1. Creator making an account
  2. Same creator making another profile (or using a friend's profile) to make the first vouch for himself with the min amount

External pre-conditions

  1. Any user vouching for any other user

Attack Path

  1. Bob (a famous guy who everyone would vouch for) makes an account and quickly vouches for himself (from another profile) the lowest amount 0.1
  2. Alice sees that Bob has made a profile, knowing that the first voucher does not pay vouchersPoolFee she quickly vouches for him 10 ETH

However since Bob has already vouched for himself, the fee that Alice pays (5% vouchersPoolFee) goes strait to Bob's other account. Bob has successfully received a 0.5 ETH fee, while only vouching 0.0001 ETH, or only 0.40 USD for himself.

Impact

First voucher looses part of his funds. User who gets vouched for receives an extra donation/fee.

PoC

No response

Mitigation

The fee distributing design sounds cool, however there are many flaws with it, consider doing a slight redesign to fix all of the issues.