Skip to content

Latest commit

 

History

History
102 lines (75 loc) · 3.13 KB

035.md

File metadata and controls

102 lines (75 loc) · 3.13 KB
Raw

Quiet Ocean Boar

Medium

User can dos another user from using a wallet to register an ethos profile

Summary

A user can DOS another user from using a specific wallet forever by registering the victims wallet address to his profile and then unregistering(setting as compromised) the wallet address.

Root Cause

in EthosProfile.sol ln ln 378 https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L373

  function registerAddress(
    address addressStr,
    uint256 profileId,
    uint256 randValue,
    bytes calldata signature
  ) external whenNotPaused onlyNonZeroAddress(addressStr)

the function registerAddress allows a user to register another wallet address to his profile. Since there is no way to know if the wallet he is registering belongs to him or not, a user can abuse this to register a wallet which he does not own.

the function validateAndSaveSignature only validates that the hash of the parameters is signed by the ethos signer. It does not check if the wallet being registered has signed a message as shown below.

    validateAndSaveSignature(
      _keccakForRegisterAddress(addressStr, profileId, randValue),
      signature
    );
  function validateAndSaveSignature(
    bytes32 messageHash,
    bytes calldata signature
  ) internal onlyUnusedSignature(signature) {
    bool isValid = ISignatureVerifier(signatureVerifier).verifySignature(
      expectedSigner,
      messageHash,
      signature
    );

    if (!isValid) {
      revert InvalidSignature();
    }

    signatureUsed[signature] = true;
  }
  function verifySignature(
    address expectedSigner,
    bytes32 messageHash,
    bytes memory signature
  ) external view returns (bool) {
    bytes32 ethSignedMessageHash = _getEthSignedMessageHash(messageHash);

    return SignatureChecker.isValidSignatureNow(expectedSigner, ethSignedMessageHash, signature);
  }

The ethos signer has no way of knowing that the address does not belong to a user since it does not request a signature from said wallet.

Now that the user has registered anothers wallet, he can call the following function with the victims wallet...

function deleteAddressAtIndex(uint256 addressIndex)

the function will set the wallet to compromised and because in order to invite a wallet to create a profile the wallet must not be compromised, the specific wallet can never make an ethos profile. This can be observed below in the modifier checkIfCompromised in the function inviteAddress

  function inviteAddress(
    address invitee
  ) public whenNotPaused onlyNonZeroAddress(invitee) checkIfCompromised(invitee)

Internal pre-conditions

  1. the wallet must not yet have an ethos profile.

External pre-conditions

none

Attack Path

  1. user registers victims wallet as his own
  2. user sets the wallet as compromised
  3. the wallet can never make an ethos profile

Impact

Indefinite DOS for a user, Breaks core contract functionality.

PoC

No response

Mitigation

Validate also a signature of the address being registered to a profile.