Evet spamming by emitting the Evidence event which will cause havoc in the front end application processing.

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x72a43388f228a233285615deb9df57ad8fabfbd885b31a8911fc17b7ebee061d Severity: low

Description: Description\

The Evidence is emitted durign the following operation. claimHumanity and renewHumanity and challengeRequest.

This has following information which can be processed in the front end application.

IEvidence.sol#L31-L36

    event Evidence(
        IArbitrator indexed _arbitrator,
        uint256 indexed _evidenceGroupID,
        address indexed _party,
        string _evidence
    );

 * @param _arbitrator The arbitrator of the contract.
 * @param _evidenceGroupID Unique identifier of the evidence group the evidence belongs to.
 * @param _party The address of the party submiting the evidence. Note that 0x0 refers to evidence not submitted by any party.
 * @param _evidence IPFS path to evidence, example: '/ipfs/Qmarwkf7C9RuzDEJNnarT3WZ7kem5bk8DZAzx78acJjMFH/evidence.json'

All above process involve reasonable actions to be completed and the event is emitted.

The part we need to check is the function submitEvidence.

anybody can call this function and input any arbitrary lenght of data as evidence.

For example, if challenger knows that they would loss from the challenge. they immediately call this function n-number of times and emit the events.

If this happens, the front end applicatio would try to process these flooded events and struck or slows in its process.

Spamming in event emission refers to the excessive generation of events by a smart contract or application on a blockchain. Events are logs that smart contracts emit to signal that something has happened, and they are often used to trigger off-chain processes or notify external systems. Excessive or unnecessary event emissions can have several negative consequences:

Attack Scenario\

Malicious user could use this function to spam the event emission.

Network Congestion: While event emissions don't directly contribute to network congestion in the same way transactions do, excessive emissions can still overwhelm nodes, making it harder for them to process and store data efficiently.

Off-Chain Impact: Many blockchain applications rely on off-chain services (like oracles or indexers) to monitor events. Spamming events can overload these services, leading to slower processing times or even denial of service (DoS) for legitimate users.

Obfuscation: Spamming events can be used to obscure important events or make it difficult for external systems to identify relevant data, which can be a form of malicious behavior.

Attachments

2. Revised Code File (Optional)

Limit the number of calls to be made using the function submitEvidence or allow to spent some amomunt to provide evidence information. This will make the spamming process costly.

[clesaege]

Anyone can provide evidence, invalid ones are to be checked at the frontend level.

[aktech297]

Anyone can provide evidence, invalid ones are to be checked at the frontend level.

Hi @clesaege

what if someone calls the function millions of times ? how the front end could be able to process ? It would slow down and eventually leading to DOS.

[clesaege]

I'd assume people would restate their arguments just to appear on top. And putting a million of evidence would cost a bunch of money (even in Gnosis Chain, it would cost way more than a submission deposit, so this doesn't look profitable). While honest parties would just need to resubmit their evidence one time.

There is a way to annoy, but the gas system makes sure it's costly to do so.

[aktech297]

I'd assume people would restate their arguments just to appear on top. And putting a million of evidence would cost a bunch of money (even in Gnosis Chain, it would cost way more than a submission deposit, so this doesn't look profitable). While honest parties would just need to resubmit their evidence one time.

There is a way to annoy, but the gas system makes sure it's costly to do so.

Ya. I understand, it would cost some money. But, it would be acceptable by the attacker. For example , in Genosis chain for 1 million events, the cost would be around 3000 USD. Imo, the attacker would be ready to spend amounts if they want to bring the system down for their advantage.

[clesaege]

This would not bring the system down, this would annoy jurors and honest parties who would need to resubmit evidence so that it is shown up.

[aktech297]

This would not bring the system down, this would annoy jurors and honest parties who would need to resubmit evidence so that it is shown up.

Its not bringing down.. interrupting the system like annoying as you mentioned. This was flagged as low in hats audit competition.

[clesaege]

People can post evidence as they wish, the contract doesn't include antispam features beside costing gas, this is the expected behaviour.