Skip to content

Latest commit

 

History

History
63 lines (39 loc) · 2.75 KB

027.md

File metadata and controls

63 lines (39 loc) · 2.75 KB
Raw

Glorious Cinnabar Kestrel

Medium

Restored addresses will be double-counted on the user's Profile

Summary

The EthosProfile::registerAddress() function allows users to add addresses to their profiles, either as new entries or by restoring previously deleted ones. However, when a user restores an address they previously removed, this address remains in Profile.removedAddresses instead of being deleted. As a result, it is counted twice, once in Profile.addresses and once in Profile.removedAddresses, leading to an incorrect limitation on the total number of addresses a user can register.

Root Cause

The registerAddress() function explicitly allows the user to restore previously deleted addresses:

    // you may restore your own previously deleted address,
    // but you cannot register an address that has been deleted by another user
    if (profileIdByAddress[addressStr] != profileId && isAddressCompromised[addressStr]) {
      revert AddressCompromised(addressStr);
    }

However, the function does not remove the restored address from Profile.removedAddresses. This leads to a situation where the same address is counted in both Profile.addresses and Profile.removedAddresses, wrongly reducing the user's maximum addresses:

  function checkMaxAddresses(uint256 profileId) internal view {
    uint256 sum = profiles[profileId].addresses.length;
    sum += profiles[profileId].removedAddresses.length;
    if (sum > maxNumberOfAddresses) {
      revert MaxAddressesReached(profileId);
    }
  }

Internal pre-conditions

No response

External pre-conditions

The user must restore a previously deleted address.

Attack Path

The default limit of addresses is 128.

  1. Assume a user has 127 active addresses on Profile.addresses and 1 removed address on Profile.removedAddresses
  2. Assume the user decides to restore the previously deleted address via EthosProfile::registerAddress()
  3. The user's transaction will revert with a MaxAddressesReached error, as the removed address will be added to Profile.addresses, making it 128 addresses, but will not be removed from Profile.removedAddresses, thus being double counted

Impact

Once Profile.addresses + Profile.removedAddresses reaches maxNumberOfAddresses, users are blocked from restoring any deleted addresses.

PoC

No response

Mitigation

Include logic in EthosProfile::registerAddress() to remove the address from the array of removedAddresses when restoring an address.