Malicious user can challege request without paying arbitration cost

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xb28ce8037d1af56238f8b63528d6d169660455bc0ff3334714c9b37601754c13 Severity: high

Description: Description\ challengeRequest allows users to create a challenge for a request with zero msg.value, it doens't check if user has sended at least arbitraction cost but arbitraction cost is transferred to arbitrotor from protocol funds and leads to loss of funds for protocol and protocol insolvency, challenger should be the one that pays arbitration cost

Attack Scenario\ Consider Alice calls challengeRequest for a request with a zero msg.value, it assumes user has sended arbitration cost as msg.value but if user don't send the fund it won't revert

 require(_contribute(_humanityId, _requestId, challengeId, 0, Party.Challenger, arbitrationCost));

then arbitraction cost is transferred to arbitrator, since user didn't send the arbitrator cost so the amount is transferred from protocol funds so it leads to loss of funds for the protocol, maliccious user can create a lot of challnge requests for different requests and lead to loss of funds for the protocol

[MehdiKarimi81]

This is invalid

[clesaege]

Yep, _contribute returns true only if it is paid in full.