Energetic Honeysuckle Leopard - Update of unhealthyResponsePeriod Prevents Users from Marking Vouches as Unhealthy

[sherlock-admin2]

Energetic Honeysuckle Leopard

Medium

Update of unhealthyResponsePeriod Prevents Users from Marking Vouches as Unhealthy

Summary

Root Cause

The updateUnhealthyResponsePeriod function in the EthosVouch contract allows an admin to change the duration within which a vouch can be marked as unhealthy after unvouching. This change can be made immediately and without any transition period, potentially preventing users from marking a vouch as unhealthy if they are close to the current limit.

function updateUnhealthyResponsePeriod(
    uint256 unhealthyResponsePeriodDuration
  ) external onlyAdmin whenNotPaused {
    unhealthyResponsePeriod = unhealthyResponsePeriodDuration;
  }

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/EthosVouch.sol#L659C3-L663C4

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Current Setting: The unhealthyResponsePeriod is set to 24 hours.
User Action: User A unvouches and plans to mark the vouch as unhealthy at the 23-hour mark, relying on the current 24-hour period.
Admin Update: Before User A can mark the vouch as unhealthy, the admin changes the unhealthyResponsePeriod to 12 hours.
User Disadvantage: User A is now unable to mark the vouch as unhealthy because the period has expired under the new setting, despite being within the original timeframe.

Impact

Users are unable to perform a critical action (marking a vouch as unhealthy

PoC

No response

Mitigation

No response