hats-finance / Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0

Proof of Humanity Protocol v2
2 stars 1 forks source link

Unrestricted Access and Lack of Verification in `addVouch` Function #40

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x77ed06436233948626858ae81f3a70043160b9fdb7c74afcd41df488349f2d8c Severity: medium

Description: Description\ The addVouch function in the ProofOfHumanity.sol contract allows any external account to call it. This can lead to potential misuse or abuse of the function, as there are no access controls or restrictions on who can add a vouch for a humanity ID. Additionally, the function does not verify whether the msg.sender or the provided humanityId is valid or legitimate.

/** @notice Vouch that the human corresponds to the humanity ID.
 *
 *  @dev Emits {VouchAdded} event.
 *
 *  @param _account The address of the human.
 *  @param _humanityId The humanity ID the vouch specifies human corresponds to.
 */
function addVouch(address _account, bytes20 _humanityId) external {
    vouches[msg.sender][_account][_humanityId] = true;
    emit VouchAdded(msg.sender, _account, _humanityId);
}

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

    Spam and Abuse: Malicious actors could spam the contract with vouches, leading to unnecessary storage usage and potential denial of service.

False Vouching: Without proper verification, anyone can vouch for any humanity ID

Lack of Accountability: Since there are no checks on who can call this function, it is difficult to hold any party accountable for incorrect or malicious vouching.

No Verification: The function does not verify whether the msg.sender is a legitimate human or whether the provided humanityId is valid.

  1. Revised Code File (Optional)
clesaege commented 2 months ago

Any address can vouch for anyone (by signing or calling the smart contract). Verifying that a voucher is registered is done in advanceState.