Open hats-bug-reporter[bot] opened 2 weeks ago
Ok, so my understanding of your concern is that:
So this cannot happen because a profile cannot be registered on both chains as this would be a duplicate (and here the user losing one of the profile would actually be something which is desirable, not a bug).
As per contest rule, the following are out of scope:
And even if it was in scope, that would actually solve an invalid situation to a valid one.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x82cdc1dd1520ff8c7319190f208fabc22fb27ad5428e3eaababa2d7873b75ea9 Severity: medium
Description: Description\ When humanity is being transferred to a foreign chain,
expirationTime
is being sent as part of the payload to later determine whether humanity is claimed or not inProofOfHumanity::ccGrantHumanity
:But on different chains
block.timestamp
means different things:According to the Arbitrum doc:
https://docs.arbitrum.io/build-decentralized-apps/arbitrum-vs-ethereum/block-numbers-and-time#block-timestamps-arbitrum-vs-ethereum
Attack Scenario\
Knowing that we can say there is a
block.timestamp
dependence of the 2 chains - originator and foreign and whenCrossChainProofOfHumanity::transferHumanity
(function that sends the payload to the foreign chain and ends calling theCrossChainProofOfHumanity::receiveTransfer
) is called towards the end of the claiming period there can be the scenario whenblock.timestamp >= humanity.expirationTime
(humanity is not claimed) on the originator chain, but on the foreign for that particular humanity to beblock.timestamp < humanity.expirationTime
(false indication of claimed humanity) and to not update the other params of the humanity struct:Attachments
block.timestamp
dependencies,