Description:Description\
The CrossChainProofOfHumanity contract implements a cooldown period to prevent rapid and repeated cross-chain transfers of “humanity” claims. However, the current cooldown duration may be insufficient, potentially leading to errors or unexpected behavior if there isn’t adequate time validation for cross-chain transactions.
Attack Scenario\
Rapid Chain-Hopping: An attacker could quickly move their “humanity” claim across multiple blockchains to avoid detection or revocation.\
Denial of Service (DoS): By constantly transferring their “humanity” claim, an attacker could flood the system with requests, potentially overwhelming it.\
Governance Bypass: The short cooldown doesn’t give enough time for governance mechanisms to intervene in suspicious activities, rendering these safeguards ineffective.
Testing Methodology:\
To demonstrate this vulnerability, we focused specifically on the cooldown mechanism within the CrossChainProofOfHumanity contract. We used a simplified mock of the ProofOfHumanity contract to isolate the cooldown logic and avoid unnecessary complexities related to the full registration process. This approach allowed us to directly test the cooldown functionality and demonstrate its inadequacy.
Vulnerability Impact:\
The insufficient cooldown time undermines security by:
Weakening Security Measures: The short cooldown period fails to provide adequate protection against abuse, such as evading revocation attempts or causing inconsistencies across different blockchains.
Insufficient Time for Transaction Finality: The cooldown doesn’t allow sufficient time for transaction finality on most blockchains, leading to potential race conditions and state inconsistencies.
// This is a minimal mock of the ProofOfHumanity contract.
// It only implements the bare minimum functions required for the CrossChainProofOfHumanity contract to compile and for the test to run.
// All other functions revert, as they are not used in the test.
contract MinimalMockProofOfHumanity is IProofOfHumanity {
// isClaimed always returns true, simulating a valid humanity.
function isClaimed(bytes20) external pure override returns (bool) {
return true;
}
// ccDischargeHumanity returns dummy values, as it's not relevant for the test.
function ccDischargeHumanity(address) external override returns (bytes20, uint40) {
return (bytes20(0x0), 0);
}
// ccGrantHumanity always returns true, simulating a successful registration of a humanity.
function ccGrantHumanity(bytes20, address, uint40) external override returns (bool) {
return true;
}
// All other functions revert, as they are not used in the test.
function isHuman(address) external view override returns (bool) {
revert();
}
function boundTo(bytes20) external view override returns (address) {
revert();
}
function humanityOf(address) external view override returns (bytes20) {
revert();
}
function getHumanityInfo(bytes20) external view override returns (bool, bool, uint48, uint40, address, uint256) {
revert();
}
}
// This test demonstrates that the cooldown implemented in CrossChainProofOfHumanity prevents rapid transfers of a humanity.
contract CrossChainProofOfHumanityTest is Test {
CrossChainProofOfHumanity ccpH;
MinimalMockProofOfHumanity poh;
address alice = address(0x100);
bytes20 humanityId = bytes20(uint160(alice));
function setUp() public {
poh = new MinimalMockProofOfHumanity();
ccpH = new CrossChainProofOfHumanity();
ccpH.initialize(poh, 7); // Initialize with the mock and a cooldown of 7 seconds
}
function testRapidTransferAttack() public {
// Assume Alice's humanity is already registered and valid.
// Simulate Alice transferring her humanity.
vm.prank(alice);
ccpH.receiveTransfer(alice, humanityId, 1000, keccak256(abi.encodePacked(block.timestamp))); // Use a unique transfer hash
// Attempt to transfer back immediately (simulating the attack).
vm.warp(block.timestamp + 1); // Advance time by 1 second (cooldown is still active)
vm.prank(alice);
ccpH.transferHumanity(address(this)); // This should revert due to the cooldown.
// The test will fail here because the transfer reverted, proving that the cooldown is working.
}
}
\
bash
forge test -vvv --via-ir
**Proposed Solution:**\
To mitigate this vulnerability, we recommend increasing the cooldown period to a more appropriate duration. This duration should be carefully chosen to balance security considerations with usability. A minimum cooldown period of a few hours or even days would provide sufficient time for transaction finality and enhance protection against potential abuse.
**Files:**
- CrossChainProofOfHumanityTest.t.sol (https://hats-backend-prod.herokuapp.com/v1/files/QmfJRASeWhpMfa7qoMsdip8PJ2vHTVdpRjtGkLWi9CkFSu)
clesaege
commented
2 months ago
Github username: -- Twitter username: -- Submission hash (on-chain): 0x9613fa6dd35008f60a1320f33adc197dce28b974d2b480bba2aeea997bd81b66 Severity: medium
Description: Description\ The CrossChainProofOfHumanity contract implements a cooldown period to prevent rapid and repeated cross-chain transfers of “humanity” claims. However, the current cooldown duration may be insufficient, potentially leading to errors or unexpected behavior if there isn’t adequate time validation for cross-chain transactions.
Attack Scenario\ Rapid Chain-Hopping: An attacker could quickly move their “humanity” claim across multiple blockchains to avoid detection or revocation.\ Denial of Service (DoS): By constantly transferring their “humanity” claim, an attacker could flood the system with requests, potentially overwhelming it.\ Governance Bypass: The short cooldown doesn’t give enough time for governance mechanisms to intervene in suspicious activities, rendering these safeguards ineffective.
Testing Methodology:\ To demonstrate this vulnerability, we focused specifically on the cooldown mechanism within the CrossChainProofOfHumanity contract. We used a simplified mock of the ProofOfHumanity contract to isolate the cooldown logic and avoid unnecessary complexities related to the full registration process. This approach allowed us to directly test the cooldown functionality and demonstrate its inadequacy.
Vulnerability Impact:\ The insufficient cooldown time undermines security by: Weakening Security Measures: The short cooldown period fails to provide adequate protection against abuse, such as evading revocation attempts or causing inconsistencies across different blockchains. Insufficient Time for Transaction Finality: The cooldown doesn’t allow sufficient time for transaction finality on most blockchains, leading to potential race conditions and state inconsistencies.
Attachments\
[profile.default] viaIR = true
pragma solidity ^0.8.17;
import "forge-std/Test.sol"; import "../contracts/CrossChainProofOfHumanity.sol"; import "../contracts/interfaces/IProofOfHumanity.sol";
// This is a minimal mock of the ProofOfHumanity contract. // It only implements the bare minimum functions required for the CrossChainProofOfHumanity contract to compile and for the test to run. // All other functions revert, as they are not used in the test. contract MinimalMockProofOfHumanity is IProofOfHumanity { // isClaimed always returns true, simulating a valid humanity. function isClaimed(bytes20) external pure override returns (bool) { return true; }
}
// This test demonstrates that the cooldown implemented in CrossChainProofOfHumanity prevents rapid transfers of a humanity. contract CrossChainProofOfHumanityTest is Test { CrossChainProofOfHumanity ccpH; MinimalMockProofOfHumanity poh;
}
forge test -vvv --via-ir