Rhythmic Tartan Whale
Medium
Issue Type: Logic Error
Description: In the vouchByAddress function, the return value of the call to profile.verifiedProfileIdForAddress(msg.sender) is not used. In Solidity, discarding return values can lead to logical errors in program execution, potentially causing contract exploits and financial loss.
Impact: Failing to handle the return value of profile.verifiedProfileIdForAddress(msg.sender) might result in missing crucial checks or balances, leaving the contract susceptible to vulnerabilities.
Proof of Concept (PoC): The vulnerable code is found in the vouchByAddress function:
function vouchByAddress(
address subjectAddress,
string calldata comment,
string calldata metadata
) public payable onlyNonZeroAddress(subjectAddress) whenNotPaused {
IEthosProfile profile = IEthosProfile(
contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
);
profile.verifiedProfileIdForAddress(msg.sender);
uint256 profileId = profile.profileIdByAddress(subjectAddress);
vouchByProfileId(profileId, comment, metadata);
}In Solidity, as in other programming languages, functions may return values as part of their execution. While it is possible that in some circumstances it may be safe to discard these return values, in most cases they should be captured by the caller so as to avoid inadvertent logical errors in program execution. In certain situations, failure to properly evaluate function return values can lead to contract exploits and possible loss of funds.
Mitigation: To mitigate this issue, the return value from profile.verifiedProfileIdForAddress(msg.sender) should be captured and properly utilised or evaluated. Here is a modified version of the code:
function vouchByAddress(
address subjectAddress,
string calldata comment,
string calldata metadata
) public payable onlyNonZeroAddress(subjectAddress) whenNotPaused {
IEthosProfile profile = IEthosProfile(
contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
);
// Capture the return value of the function call
+ uint256 verifierProfileId = profile.verifiedProfileIdForAddress(msg.sender);
+ require(verifierProfileId != 0, "Verification failed.");
- profile.verifiedProfileIdForAddress(msg.sender);
uint256 profileId = profile.profileIdByAddress(subjectAddress);
vouchByProfileId(profileId, comment, metadata);
}In the modified code, the return value of profile.verifiedProfileIdForAddress(msg.sender) is stored in verifierProfileId and a check is performed to ensure it is valid before proceeding.
Tools Used: Manual Review.