search

hats-finance / Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0

Proof of Humanity Protocol v2
2 stars 1 forks source link

Invalid validation causing reverted txn in `withdrawRequest` #41

Open hats-bug-reporter[bot] opened 2 months ago

hats-bug-reporter[bot] commented 2 months ago

Github username: @iwildsniperi Twitter username: iwildsniperi Submission hash (on-chain): 0x9c7285fc156c7fd0894b19b9c347cbab6234e720ea647fad9eb43cf8d4d70472 Severity: medium

Description: Description\ the way request.status is checked in withdrawFeesAndRewards will make the txn always revert in withdrawRequest in Line 869 we check that 

File: ProofOfHumanity.sol
864:     function withdrawRequest() external {
865:         bytes20 humanityId = accountHumanity[msg.sender];
866:         Humanity storage humanity = humanityData[humanityId];
867:         uint256 requestId = humanity.requestCount[msg.sender] - 1;
868:         Request storage request = humanity.requests[requestId];
869:         require(request.status == Status.Vouching);
870: 
871:         delete humanity.requestCount[msg.sender];
872:         request.status = Status.Resolved;
873: 
874:         // Automatically withdraw for the requester.
875:         withdrawFeesAndRewards(payable(msg.sender), humanityId, requestId, 0, 0);
876: 
877:         emit RequestWithdrawn(humanityId, requestId);
878:     }

this function is used to withdraw requests done by mistake request.status == Status.Vouching (which is the right thing)

in Line 875 we call withdrawFeesAndRewards to withdraw funds deposited for user

File: ProofOfHumanity.sol
1251:     function withdrawFeesAndRewards(
1252:         address payable _beneficiary,
1253:         bytes20 _humanityId,
1254:         uint256 _requestId,
1255:         uint256 _challengeId,
1256:         uint256 _round
1257:     ) public {
1258:         Request storage request = humanityData[_humanityId].requests[_requestId];
1259:         Challenge storage challenge = request.challenges[_challengeId];
1260:         Round storage round = challenge.rounds[_round];
1261:         require(request.status == Status.Resolved);

Attack Scenario\ Users won't be able to cancel their mistaken made request and will lose funds to the challenger as a consequence

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

IWildSniperI commented 2 months ago

okey, rushing is bad, this is invalid already due to line 872

RRRAAUAARRR commented 2 months ago

do you even write a PoC or execute the damn code? lol

clesaege commented 2 months ago

Yep, see line 872