Anyone can submit a reference to an Evidence on the HATKlerosConnector

[hats-bug-reporter[bot]]

Github username: @aviggiano Submission hash (on-chain): 0x033e189cc1ca6081eb0a2277b88954eef6cf76167ce870fae2bfc29f9e8d9ebd Severity: low

Description: Description

In HATKlerosConnector, anyone can call submitEvidence, even if they are not the original _disputer. This means any user can submit fake evidence on behalf of a _localDisputeId.

    function submitEvidence(
        uint256 _localDisputeId,
        string calldata _evidenceURI
    ) external override {
        DisputeStruct storage dispute = disputes[_localDisputeId];
        // Note that by reading dispute's value we also check that it exists.
        require(!dispute.resolved, "Dispute already resolved");

        emit Evidence(
            klerosArbitrator,
            _localDisputeId,
            msg.sender,
            _evidenceURI
        );
    }

Recommendation

Make sure that only the original _disputer from notifyArbitrator can submit additional Evidence.

[bahurum]

Note that the arguments of Evidence() event are indexed and one could filter them by disputer. If this allows spamming or not depends on how the events are processed by Kleros. Hats team will have more info on this.

[jellegerbrandy]

This is a feature not a bug - we want all parties to be able to submit evidence. You have not described why this is a problem.