The `calculateIssuance()` function returns unmintable amounts

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xc00ffc08600bf4ae418d3d2bba74678ae2b2dddb9df09078d2c62c13f29e1cdb Severity: low

Description: If user signs up in V1 after registering in V2, both the calculateIssuance() and look() functions start calculating mintable tokens for the user. obviously, the user can't mint in V2 because it would revert due to minting being blocked. If user stops V1 before minting in V2, it would mint zero tokens and start calculating from scratch. The point is that both view functions in V1 and V2 return mintable tokens correctly; however, the calculateIssuance() function in V2 should revert zero because these amounts can't be minted by the personalMint() function. The issue arises if third-party protocols rely on the calculateIssuance() function in their logic, which might cause a loss of funds or logic errors.

Impact\ Potential loss of funds or logic errors for third-party protocols.

POC

• add this function to V1MintStatusUpdate.t.sol

• run with forge t --mt test_poc -vvv

  function test_poc() public{
      address Alice = makeAddr("Alice");
      address Bob = makeAddr("Bob");
  
      ITokenV1 tokenBob = signupInV1(Bob);
  
      vm.startPrank(Bob);
      tokenBob.stop();
      mockHub.registerHuman(address(0), bytes32(0));
      mockHub.trust(Alice, type(uint96).max);
      vm.stopPrank();
  
      vm.startPrank(Alice);
  
      mockHub.registerHuman(Bob, bytes32(0));
      vm.stopPrank();
      ITokenV1 tokenAlice = signupInV1(Alice);
      vm.startPrank(Alice);
  
      skipTime(3 hours);
  
      console.log("balance of Alice in V1: ", mintV1Tokens(tokenAlice));
  
      tokenAlice.stop();
  
      (uint bal,  ,) = mockHub.calculateIssuance(Alice);
      console.log("balance of Alice in V2: ", bal);
      vm.stopPrank();
  }

  [PASS] test_poc() (gas: 2359535)
  Logs:
  balance of Alice in V1:  1069999999999988400
  balance of Alice in V2:  3000000000000000000

[benjaminbollen]

the view function calculateIssuance cannot update state, so if it would base off read but not stored state, it's returned result would be inconsistent with the later mint in personal mint; the stateful function calculateIssuanceWithCheck exists explicitly for your concern to perform the check, calculate the issuance, but not mint it (as Personal Mint would do)