search

hats-finance / Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0

Proof of Humanity Protocol v2
2 stars 1 forks source link

No function to recover the funds when the humanity is deceased. #122

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x8af4d25e81144e259ba2e23df56950b79528f2280cd269abe1229be96646ba87 Severity: medium

Description: Description\

The humanity can be requested and funded and then claimed once the challenge window is passed.

when it is requested and gets enouhgh vouches, it can be executed by calling the function executeRequest.

The assumption made here is the humanity is alive to receive the fund and execute the above function.

when we see one of the challenge, it has the Deceased flag.

if the humanity is decesased in the challenge window, the funded amount would be left unused or transferred without any use.

someone can call and execute the executeRequest but the funds would be left unused.

The other secnario is, when the humanity is expired, the funds would be left inside the contract ProofOfHumanity. There were no sepcial function controlled by governor to recover.

also, in the event of any theft or attack, no recovery function to recover the funds and distribute to humanity holders.

So, there are more number of resaon for why such recovery function is needed.

  1. Revised Code File (Optional)

We would suggest to have the governor controlled function to recover the function based on above mentioned cases.

clesaege commented 2 months ago

In this case, the address of the deceased should call withdrawRequest. If the deceased didn't have plans for someone to get his crypto the funds will effectively be lost, but that's not in scope.

As per competition rules: Only the smart contracts of the V2 are in scope.

aktech297 commented 2 months ago

In this case, the address of the deceased should call withdrawRequest. If the deceased didn't have plans for someone to get his crypto the funds will effectively be lost, but that's not in scope.

As per competition rules: Only the smart contracts of the V2 are in scope.

hey ProofOfHumanity.sol is in scope right ? we saw this in the contest age. we are referring the issue by looking at the code in the ProofOfHumanity.sol contract.

clesaege commented 2 months ago

Here your issue is about the access to an address being lost, this is not a PoH contract issue.

Also note that the contracts are upgradable, so in theory, governance could get funds which are stuck.