Open hats-bug-reporter[bot] opened 1 week ago
I think POH extended version has this check where both v1 and v2 interaction happened. Where the logic check the registered in fork contract and then vouch flag is updated. First time it will be updated. Second time , the same would validated. I think you read on the proofofhumanity contract
@aktech297 I wrote a POC that use POH extended version, you could check it.
@aktech297 I wrote a POC that use POH extended version, you could check it.
Will check. But I was thinking the same. But didn't get time to spend more on it
Vouching on V1 and V2 are disconnected. Profiles created after the fork are not valid on V2.
So this is the expected behaviour.
@clesaege
V1 user will not register after fork.
A normal v1 user could vouch on v1 contract, and then vouch on v2 extended contract.
Please review the test:
v1 user vouches for V1_ALICE. now he could still vouch in v2 contract.
@clesaege
v2 extended contract doesn't check if v1 user already used his vouch on v1 or not.
All users expect to be able to vouch on time for a time, but v1 users could be able to vouch two times Simultaneously.
When V2 starts, for the purpose of V2, V1 registrations are not possible. So far the report has only described expected behaviours.
@clesaege
I will give a scenario here:
v1 user (whose submissionTime
is before fork time) vouches for humanity X on humanity old contract.
The correct check in advncestate
in extended contract allows this user to vouch in v2 extended as well.
How vouches work: a user vouches for other user's request, and will wait until the result of the request (couldn't vouch again during this time), if the result shows that the request was malicious user will lose his humanity.
So now what is the impact of being available to vouch two times. That is mean: means that if this v1 user is malicious, he could vouch two time instead of one.
@clesaege
if you are saying that you're not care about vouches after fork time in v1 old contract.
let me describe another scenario:
By this scenario i just want to mention that there is a chance that some vouches(for the time before fork) will not process, but v2 extended overlook them.
That is mean: means that if this v1 user is malicious, he could vouch two time instead of one.
He could vouch one time of V1 and one time on V2. This is the expected behaviour. Note that the profile he vouched for will not count for V2 as it will have a registration time post fork.
Note that the profile he vouched for will not count for V2 as it will have a registration time post fork. @clesaege
after deploying v2 contract, there are some remain vouches that doesn't process, those should considered, because those that vouched for them are count in v2.
- If Bob vouches for Alice before fork time in v1 old.
- Alice get humanity ID before fork time in v1 old.
- however, vouches doesn't process yet
- fork time happen
- Bob could still vouch on v2
I see no problem there, process vouches can be called by anyone, needing to process vouches is a technical need, not a logical need. So from a "logical" perspective her vouches are not in use.
Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x0c901481ecb071b3535752568fbe8cfab94035a861d790116819a298a43c4263 Severity: medium
Description:
Vulnerability Detail
The vulnerability lies in the advanceState function, which is supposed to ensure that users can only vouch for one Humanity ID at a time to prevent abuse. However, the function only checks if a user has already vouched on the V2 contract and fails to account for vouches made on the V1 contract.
This oversight allows a v1 user to vouch for a Humanity ID on V1 and v2 contract Simultaneously. This effectively bypasses the vouching restriction, allowing users to vouch for multiple claims at the same time across different contract versions.
Proof of Concept
Below is a test case that demonstrates this vulnerability:
As you could see
V1_USER
vouch in v1 and v2 for different users Simultaneously.