Open hats-bug-reporter[bot] opened 1 week ago
Thank you for your detailed report on the ability to use a stopped profile for registration. We appreciate the effort you put into writing a test to demonstrate this behavior. After review, we've determined that this is not an issue, but rather an intended feature of our system. Here's why:
Your thorough analysis and test creation demonstrate a deep engagement with our system. While this behavior is intentional, your report helps ensure our design choices are clear and well-documented. Thank you for contributing to the robustness of our platform.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x367b5d1e3734d24f7d11de72905edcae3013a2905d6309415364b6b302e5c444 Severity: low
Description:
Description
Even though a user stops their avatar via
stop()
if they trusted someone previously, the trusted user could still register with burning theinviter
'sINVITATION_COST
and gettingWELCOME_BONUS
tokens.Proof of Concept
test/hub/V1MintStatusUpdate.t.sol
migrationSetup()
andtestStopAndRegister()
functionsrun
forge test --mt testStopAndRegister -vvvv
Recommendation
Consider to disallow registrations with stopped profiles's avatar currencies by checking if the
inviter
slastMintTime
is set toINDEFINITE_FUTURE
and revertingregisterHuman
if it is.