Malicious Users Can Block Revocation

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xbc6ca08081fab483ee9e12206a26fdbcda46be9382a6b6c92ce16c3a3dd50a2c Severity: medium

Description:

Vulnerability Detail

A malicious user can stop others from revoking their fake Humanity ID by exploiting the revocation process. Here’s how they do it:

Steps of Exploitation:

1. Humanity ID X is malicious

2. The owner of it monitors the mempool and whenever see the revocation transaction, frontrun it

3. Before the legitimate revocation request can be processed, the malicious user front-runs it by submitting a revocation request themselves, but with incorrect evidence. For instance, the malicious user might submit a request citing an outdated policy as the reason for revocation (e.g., using an incorrect policy version as evidence, due to policy, this kind of revocation evidence will be rejected. https://cdn.kleros.link/ipfs/QmcEvNrofibGt1MQSCk7G1fFboiMyfHoYyns4En4kWG5hU).

4. The same malicious user, using a different address, challenges the fake revocation request they submitted. Given that the evidence is incorrect, the challenge will succeed, causing the revocation to fail.

5. After the failed revocation, the system enters a failedRevocationCooldown period during which no further revocation attempts can be made. This cooldown period effectively shields the malicious Humanity ID from being revoked during this time.

6. The malicious user can repeat this process every time they detect a legitimate revocation attempt, thereby indefinitely preventing the revocation of their Humanity ID.

Impact

This trick allows bad actors to keep their fake Humanity IDs on the network, blocking others from removing them.

Note:

The malicious user incurs no financial loss because they control both the revocation request and the challenge, meaning they simply move funds between their own addresses.

[whoismxuse]

dup of #125

[clesaege]

I confirm.