Skip to content

Latest commit

 

History

History
39 lines (21 loc) · 1.08 KB

081.md

File metadata and controls

39 lines (21 loc) · 1.08 KB

Spare Wintergreen Coyote

Medium

A malicious user can register as a participant by buying 0 votes.

Summary

There is no restriction on buying 0 votes in the buyVotes function. https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L440

Root Cause

If a malicious user sets both min and max to 0, they can still buy 0 votes and become a participant. https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L475

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

Malicious users can artificially inflate the participant list, leading to increased gas costs during participant-based operations and misleading statistics about actual market engagement.

PoC

No response

Mitigation

Require a non-zero purchase before registering a new participant (e.g., checking currentVotesToBuy > 0) and optionally enforce minVotesToBuy <= maxVotesToBuy to prevent zero-vote scenarios.