Skip to content

Latest commit

 

History

History
43 lines (35 loc) · 1.69 KB

080.md

File metadata and controls

43 lines (35 loc) · 1.69 KB

Bubbly Porcelain Blackbird

Medium

Missing whenNotPaused modifier in increaseVouch()

Summary

Inconsistent pausability

Root Cause

The EthosVouch.sol inherits the AccessControl contract, which allow pausing the critical function to be getting accessed during a misfortune. There is whenNotPaused check placed on the vouchByAddress/vouchByProfileId() function, which creates a new vouch and increases the vouch balance under the newly created vouchId. https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L309

  function vouchByAddress(
    address subjectAddress,
    string calldata comment,
    string calldata metadata
  ) public payable onlyNonZeroAddress(subjectAddress) whenNotPaused { ... }
  function vouchByProfileId(
    uint256 subjectProfileId,
    string calldata comment,
    string calldata metadata
  ) public payable whenNotPaused nonReentrant { ... }

However, the other function, increaseVouch(), which performs a similar task, increasing the current vouch balance of a vouchId—is missing the whenNotPaused modifier. https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L426

  function increaseVouch(uint256 vouchId) public payable nonReentrant { ... }

Impact

Under a attack, the increaseVouch() call cannot be prevented

Mitigation

-  function increaseVouch(uint256 vouchId) public payable nonReentrant { ... }
+  function increaseVouch(uint256 vouchId) public payable whenNotPaused nonReentrant  { ... }