Striped Amber Bird
Medium
addReply() is used to create a reply. However, there's an issue: when the Reply struct is created, isTargetThisContract is incorrectly set to false when the target is address(this) and true otherwise.
addReply() is implemented as follows:
function addReply(
address targetContract,
uint256 targetId,
string memory content,
string memory metadata
) external onlyNonZeroAddress(targetContract) whenNotPaused {
uint256 authorID = IEthosProfile(
contractAddressManager.getContractAddressForName(ETHOS_PROFILE)
).verifiedProfileIdForAddress(msg.sender);
@> bool isTargetThisContract = _isAddressThisContract(targetContract);
//reply a reply
if (isTargetThisContract) {
if (replies[targetId].createdAt == 0) {
revert TargetNotFound(targetContract, targetId);
}
} else {
_checkIfTargetExistsAndAllowed(targetContract, targetId);
}
uint256 _replyCount = replyCount;
directReplyIdsByTargetAddressAndTargetId[targetContract][targetId].push(_replyCount);
replyIdsByAuthor[authorID].push(_replyCount);
replies[_replyCount] = Reply(
@> !isTargetThisContract,
targetContract,
authorID,
_replyCount,
targetId,
block.timestamp,
0,
content,
metadata
);
emit ReplyAdded(authorID, targetContract, _replyCount);
replyCount++;
}As shown, _isAddressThisContract() is called to determine the value of isTargetThisContract.
function _isAddressThisContract(address targetContract) private view returns (bool) {
return targetContract == address(this);
}_isAddressThisContract() returns true if the target contract is address(this). However, as seen in the creation of the Reply struct, the isTargetThisContract boolean is incorrectly negated when targetContract == address(this).
addReply() is called with targetContract == address(this).
None
None.
The Reply struct is incorrectly created when targetContract == address(this), as isTargetThisContract is set to false. This misconfiguration can lead to issues on the front end.
The previous sections justify the vulnerability.
Remove the negation of isTargetThisContract when creating the Reply struct.