Skip to content

Latest commit

 

History

History
86 lines (64 loc) · 3.49 KB

038.md

File metadata and controls

86 lines (64 loc) · 3.49 KB
Raw

Quiet Cyan Hyena

Medium

Users can't add max number of addresses to their profile.

Summary

When an address is deleted from a profile, it is pushed to the removedAddresses array. However, when the same address is registered again to the profile, it is not popped out from the removeAddresses array. As a result, the number of addresses tied to the profile becomes inflated, preventing the user from adding max number of addresses allowed to his own profile.

https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosProfile.sol#L406

Root Cause

When an address is deleted, it is popped out from addresses array and pushed into the removeAddresses array, using the following EthosProfile.checkMaxAddresses() function.

  function _deleteAddressAtIndexFromArray(
    uint256 index,
    address[] storage addresses,
    address[] storage removedAddresses
  ) private {
    address addr = addresses[addresses.length - 1];
    addresses[index] = addr;
    removedAddresses.push(addr);
    addresses.pop();
  }

When the deleted address is registered again to the profile, it is pushed back into the addresses but not popped out from the removeAddresses, in the following EthosProfile.registerAddress() function.

  function registerAddress(
    address addressStr,
    uint256 profileId,
    uint256 randValue,
    bytes calldata signature
  ) external whenNotPaused onlyNonZeroAddress(addressStr) {
    ...SKIP...

    profiles[profileId].addresses.push(addressStr);
    profileIdByAddress[addressStr] = profileId;

    checkMaxAddresses(profileId);

    emit AddressClaim(profileId, addressStr, AddressClaimStatus.Claimed);
  }

As a result, the same address exists in the addresses and removeAddresses arrays. This causes the total number of addresses tied to the profile to be inflated, and the user is unable to add max number of addresses allowed to his own profile due to the following EthosProfile.checkMaxAddresses() function.

  function checkMaxAddresses(uint256 profileId) internal view {
    uint256 sum = profiles[profileId].addresses.length;
    sum += profiles[profileId].removedAddresses.length;
    if (sum > maxNumberOfAddresses) {
      revert MaxAddressesReached(profileId);
    }
  }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Assume that maxNumberOfAddresses = 10 and a user has added 10 addresses to his own profile.
  2. The user delete address addr1 from his profile. addr1 is popped from addresses and pushed into removeAddresses. Now, addresses.length = 9 and removeAddresses.length = 1.
  3. The user register addr1 again to his own profile. addr1 is pushed back into addresses but not popped out from removeAddresses.
  4. With 10 addresses in addresses and 1 address in removeAddresses, the registration reverts in the checkMaxAddresses() function because the combined total sum exceeds the maximum allowed.

Impact

Breaks core contract functionality because users are unable to register maximum number of addresses to their profile.

PoC

Assume that user added addr1 to addr10 and removed addr1 to addr5. In this case, user can't add addr11 but user can't add addr1 back as well. But he should be able to add removed addresses back.

Mitigation

In the registerAddress() function, if the address has previously been deleted, it should be removed from the removedAddresses array when it is registered again.