Main Cerulean Goose
Medium
Vulnerability details The protocol fails to reset the isParticipant flag to false for users who have sold all their votes, leaving them incorrectly labeled as active participants. While the protocol design explicitly chooses not to remove such users from the participant list, it relies on the isParticipant flag to indicate whether a user has sold all their votes. This behavior is clearly documented in the NatSpec comments on line 131:
// profileId => participant address
// append only; don't bother removing. Use isParticipant to check if they've sold all their votes.https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L131C3-L132C101
Recommendation
Update the SellVote function to include a check. If a user has sold their entire vote, set the isParticipant flag to false. This ensures accurate tracking of active participants.