Description:Description\
The addVouch function in the ProofOfHumanity.sol contract allows any external account to call it. This can lead to potential misuse or abuse of the function, as there are no access controls or restrictions on who can add a vouch for a humanity ID. Additionally, the function does not verify whether the msg.sender or the provided humanityId is valid or legitimate.
/** @notice Vouch that the human corresponds to the humanity ID.
*
* @dev Emits {VouchAdded} event.
*
* @param _account The address of the human.
* @param _humanityId The humanity ID the vouch specifies human corresponds to.
*/
function addVouch(address _account, bytes20 _humanityId) external {
vouches[msg.sender][_account][_humanityId] = true;
emit VouchAdded(msg.sender, _account, _humanityId);
}
Attack Scenario\
Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
Spam and Abuse: Malicious actors could spam the contract with vouches, leading to unnecessary storage usage and potential denial of service.
False Vouching: Without proper verification, anyone can vouch for any humanity ID
Lack of Accountability: Since there are no checks on who can call this function, it is difficult to hold any party accountable for incorrect or malicious vouching.
No Verification: The function does not verify whether the msg.sender is a legitimate human or whether the provided humanityId is valid.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x77ed06436233948626858ae81f3a70043160b9fdb7c74afcd41df488349f2d8c Severity: medium
Description: Description\ The
addVouch
function in the ProofOfHumanity.sol contract allows any external account to call it. This can lead to potential misuse or abuse of the function, as there are no access controls or restrictions on who can add a vouch for a humanity ID. Additionally, the function does not verify whether the msg.sender or the provided humanityId is valid or legitimate.Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Spam and Abuse: Malicious actors could spam the contract with vouches, leading to unnecessary storage usage and potential denial of service.
False Vouching: Without proper verification, anyone can vouch for any humanity ID
Lack of Accountability: Since there are no checks on who can call this function, it is difficult to hold any party accountable for incorrect or malicious vouching.
No Verification: The function does not verify whether the msg.sender is a legitimate human or whether the provided humanityId is valid.