Unclaimed mock profiles are unable to claim rewards, causing vouchers to pay donation fees for no benefit

Summary

The check in EthosVouch.sol will prevent mock profiles from claiming their rewards. Therefore, vouchers will pay donation fees for nothing and the funds will be stuck in the contract.

Root Cause

In EthosVouch.sol:673, a check ensures that mock profiles cannot claim their rewards, even though the protocol explicitly allows vouches for mocks.

Internal pre-conditions

entryDonationFeeBasisPoints needs to be greater than 0.

External pre-conditions

None.

Attack Path

A user calls EthosVouch::vouchByAddress() or EthosVouch::vouchByProfileId() to vouch for a mock profile. The caller pays a donation fee, which should later be claimable by the mock.
The mock profile calls EthosVouch::claimRewards() to claim their rewards, but the call reverts.

Impact

Mock profiles cannot claim their rewards, and the funds will be stuck in the contract. Furthermore, vouchers will pay a donation fee for nothing if they vouch for a mock profile, essentially donating the funds to the contract.

PoC

No response

Mitigation

Consider allowing mock profiles to call EthosVouch::claimRewards() to claim their rewards.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

075.md

075.md

Unclaimed mock profiles are unable to claim rewards, causing vouchers to pay donation fees for no benefit

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

075.md

Latest commit

History

075.md

File metadata and controls

Unclaimed mock profiles are unable to claim rewards, causing vouchers to pay donation fees for no benefit

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation