Skip to content

Latest commit

 

History

History
51 lines (33 loc) · 3.22 KB

039.md

File metadata and controls

51 lines (33 loc) · 3.22 KB
Raw

Tall Cloud Tuna

High

An attacker can cause gas exhaustion and storage bloat for users by spamming reviews

Summary

The editReview() function in the EthosReview contract lacks restrictions on the size of the comment and metadata fields, as well as the frequency of edits. This enables attackers to continuously expand these fields with large data, resulting in storage bloat and increasing gas costs for other contract interactions. Unlike addReview(), which requires a fee for each new review, editReview() can be called repeatedly without incurring additional fees, making it possible to exploit without relying on a low-fee setup. This attack can degrade contract usability, increasing gas fees for legitimate users and potentially causing a Denial of Service (DoS). https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L173-L219 https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L261-L281 This logic works on EthosDiscussion contract's addReply() and editReply() too.

Root Cause

The editReview() function allows unlimited and cost-free modifications to the comment and metadata fields of a review.

  1. Lacks size limits on comment and metadata, allowing attackers to expand storage use significantly with each call.
  2. Does not impose fees or rate limits on repeated editReview() calls, making it easy to spam large edits at little to no cost.

Internal pre-conditions

  1. A review exists that the attacker can edit using editReview().
  2. The editReview() function is callable by the review author with no cost, allowing repeated edits.

External pre-conditions

  1. The attacker has an address with an existing review.
  2. The attacker is incentivized to increase storage usage maliciously, aiming to bloat the contract state and increase gas costs for legitimate users.

Attack Path

  1. Initial Review Creation: The attacker creates a review with addReview() using minimal data in comment and metadata fields to keep initial costs low.
  2. Repeated Edits with Large Data:
  • The attacker then calls editReview() repeatedly on the same review, each time providing large strings in the comment and metadata fields.
  • Since editReview() lacks size and frequency limits, each call increases storage bloat and gas costs without incurring additional fees.
  1. Impact on Contract State: The cumulative effect of these large edits bloats the contract’s storage, increasing gas costs for every user interacting with the contract. Eventually, gas costs may reach levels that discourage or prevent legitimate users from creating or editing reviews.

Impact

  • Increased Gas Costs: Each large edit adds to the contract’s storage requirements, increasing gas costs for all users.
  • Denial of Service (DoS): The bloat may make legitimate interactions with the contract too expensive, leading to a DoS for users trying to create or edit reviews.
  • Long-Term Cost: The storage bloat permanently increases the operational costs associated with the contract, affecting its long-term sustainability.

PoC

No response

Mitigation

  • Limit length of comment and metadata when add and edit review
  • Implement rate limits on editReview().