Tall Cloud Tuna
High
The deleteAddressAtIndex function in the EthosProfile contract has a bug where the incorrect address is added to the removedAddresses array when attempting to unregister an address from a profile. This issue can lead to inaccurate tracking of removed addresses and potential inconsistencies in the contract’s data.
In EthosProfile.sol:584, the _deleteAddressAtIndexFromArray function mistakenly assigns the last address in the addresses array to the removedAddresses array instead of the address located at the specified index.
The root cause is that _deleteAddressAtIndexFromArray does not preserve the original address at index before swapping it with the last element in addresses, causing the wrong address to be added to removedAddresses.
No response
No response
-
User (Profile Owner) calls
deleteAddressAtIndexwith a specific index:- The user intends to remove an address from their profile's
addressesarray. The function should add the removed address toremovedAddressesfor accurate historical tracking.
- The user intends to remove an address from their profile's
-
Function proceeds to
_deleteAddressAtIndexFromArray:- The
deleteAddressAtIndexfunction internally calls_deleteAddressAtIndexFromArray, which attempts to delete the address at the given index.
- The
-
Incorrect Address Added to
removedAddresses:- Due to the bug,
_deleteAddressAtIndexFromArraymistakenly moves the last address in theaddressesarray toremovedAddressesrather than the address at the specified index. This incorrect address entry can lead to inaccurate historical records, which may be exploited if tracking address integrity is essential to the contract’s functionality.
- Due to the bug,
-
Potential Exploitation of Mismanaged Data:
- An attacker could exploit this data inconsistency to manipulate or bypass intended contract restrictions, as certain addresses may appear unremoved or incorrectly managed. Over time, this could create vulnerabilities in profile management functions dependent on accurate address tracking (e.g., compromised address handling, permissions).
-
Inaccurate Address Tracking:
- The bug leads to incorrect tracking of addresses removed from profiles. This results in inconsistent historical data, undermining the integrity of the
removedAddressesarray, which is crucial for record-keeping and any functions relying on past address data.
- The bug leads to incorrect tracking of addresses removed from profiles. This results in inconsistent historical data, undermining the integrity of the
-
Compromised Data Integrity:
- The inaccuracy in
removedAddressescould lead to vulnerabilities in profile-related operations, especially those involving permissions, compromised address handling, and invite/authorization mechanisms, as the contract may mistakenly assume addresses are active or inactive in a profile.
- The inaccuracy in
-
Security Exploits:
- Attackers could exploit the tracking error to manipulate profile addresses, potentially bypassing restrictions on compromised accounts or re-registering addresses that should have been flagged as removed. This could lead to unauthorized actions within the network, as addresses marked as compromised or removed could still interact with the contract incorrectly.
-
User Frustration and Loss of Trust:
- Mismanagement of user profiles and addresses could erode user confidence in the system, especially if legitimate addresses appear compromised or removed. This lack of trust could impact the adoption and growth of the Ethos Network.
No response
Code Fix in _deleteAddressAtIndexFromArray:
-
Update
_deleteAddressAtIndexFromArrayto correctly add the address at the specified index toremovedAddressesbefore modifying theaddressesarray. -
Use the following code to ensure only the intended address is added to
removedAddresses:function _deleteAddressAtIndexFromArray( uint256 index, address[] storage addresses, address[] storage removedAddresses ) private { // Store the address at the specified index to be deleted address addrToRemove = addresses[index]; // Add the address to be removed to the removedAddresses array removedAddresses.push(addrToRemove); // If the index is not the last position, move the last element to the index position if (index < addresses.length - 1) { addresses[index] = addresses[addresses.length - 1]; } // Remove the last element from the addresses array addresses.pop(); }