Malicious Users Can Bypass the Challenge phase and vouching phase

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x393dcd92b41a1629c07e3a52985fa55d01714e6cd5de666431969965ebbb656c Severity: high

Description:

Summary

The protocol relies on a vouching system and challenge system to ensure that only legitimate humanity requests are approved. However, there's a way for malicious users to trick this system by adding incorrect vouches and submitting fake challenges, allowing them to bypass the process and get their fake requests approved.

Impact:

Bypassing challenge phase and vouching phase and create as many as humainty ids.

Vulnerability Detail

• create a claim request
• other humanities vouches for it. (they do malicious act here, but as no challenge will be accepted at the end they will not pay penalties)
• humanity is in a resolving state
• for each reason, the user challenges a request with fake evidence
• as they use fake evidence, they will not accepted
• after the last reason as the following conditions met

  
          // For a claim request there can be more than one dispute.
          if (resultRuling == Party.Requester) {
              if (!request.punishedVouch) {
                  // All reasons being used means the request can't be challenged again, so we can update its status.
  @>                    if (request.usedReasons == FULL_REASONS_SET) {
                      humanity.owner = request.requester;
                      humanity.expirationTime = uint40(block.timestamp).addCap40(humanityLifespan);

user will gain that humanity.

- as no challenge is accepted, malicious vouchers will not pay penalties

A malicious user can exploit this by adding fake vouchers and submitting fake challenges during challengePeriodDuration. For all reasons, they could repeatedly submit challenges with fake evidence, like saying the person is "Deceased" with false evidence. By doing this, they can fill `full_reason_ser`, letting their fake request go through without proper review.

and as no challenge is accepted no fake voucher will penalized.

this attack just needed some humanity: `requiredNumberOfVouches`

[clesaege]

other humanities vouches for it. (they do malicious act here, but as no challenge will be accepted at the end they will not pay penalties)

So according to your report, you still need vouches.

For the other part, similar to https://github.com/hats-finance/Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0/issues/140