Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

durov - Review authors should be able to archive and restore reviews from any address that belongs to the profile #318

Open
sherlock-admin2 opened this issue Nov 4, 2024 · 1 comment
Open

durov - Review authors should be able to archive and restore reviews from any address that belongs to the profile #318

sherlock-admin2 opened this issue Nov 4, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Nov 4, 2024
edited by sherlock-admin4
Loading

durov

Medium

Review authors should be able to archive and restore reviews from any address that belongs to the profile

Summary

In EthosReview.sol authors of reviews can archive and restore reviews only from the original address, even though the profile can have multiple address registered to it.

function archiveReview(uint256 reviewId) external whenNotPaused {
    (bool exists, ) = targetExistsAndAllowedForId(reviewId);

    if (!exists) {
      revert ReviewNotFound(reviewId);
    }

    Review storage review = reviews[reviewId];

    if (review.archived) {
      revert ReviewIsArchived(reviewId);
    }

    if (review.author != msg.sender) {
      revert UnauthorizedArchiving(reviewId);
    }

    review.archived = true;

    emit ReviewArchived(reviewId, msg.sender, review.subject);
  }

  function restoreReview(uint256 reviewId) external whenNotPaused {
    _getEthosProfile().verifiedProfileIdForAddress(msg.sender);
    Review storage review = reviews[reviewId];

    if (review.author == address(0)) {
      revert ReviewNotFound(reviewId);
    }

    if (review.author != msg.sender) {
      revert UnauthorizedArchiving(reviewId);
    }

    if (!review.archived) {
      revert ReviewNotArchived(reviewId);
    }

    review.archived = false;

    emit ReviewRestored(reviewId, msg.sender, review.subject);
  }

https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L287-L332

Root Cause

Checks in EthosReview:300, EthosReview:321

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Authors can't archive or restore their reviews from different addresses belonging to the same profile, even though they can edit their reviews from different addresses.

PoC

No response

Mitigation

Let authors archive or restore their reviews from any address that belongs to their profile.
@sherlock-admin4 sherlock-admin4 changed the title Basic Pebble Haddock - Review authors should be able to archive and restore reviews from any address that belongs to the profile durov - Review authors should be able to archive and restore reviews from any address that belongs to the profile Nov 20, 2024
@sherlock-admin2
Copy link
Contributor Author

The protocol team fixed this issue in the following PRs/commits:
https://github.com/trust-ethos/ethos/pull/1763

@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3