Open hats-bug-reporter[bot] opened 2 weeks ago
Requests made without a deposit wouldn't be looked at by potential challengers as they can filter in order to only see requests that are at a particular stage.
When making the video, it is necessary to include your address particularly for this purpose (prevent someone from copying your request). The challengers would then see that the address doesn't match and challenge.
As per guidelines are excluded: Issues about challengers missing some invalid profile submissions/removals (for the purpose of this review, we will assume challengers are perfect and omniscient and that they always challenge invalid actions before the deadline).
Github username: -- Twitter username: -- Submission hash (on-chain): 0x2aedaf1f6e8d30228e7d9e5402075b6db22f7f764527cd1b4132e387a554429b Severity: medium
Description:
Description
claimHumanity
allows for a user to enter the registry, note that there is no need to pay the full deposit right away, this is also stated inside the commentary:Inside this function
_evidence
is taken and later emitted to prove that the_humanityId
belongs to the caller of this function. Furthermore, the function retrieves therequestId
this ensures that this function can only be called once by the caller.The problem however is that a malicious user is able to spam
claimHumanity
for a_humanityId
:claimHumanity
claimHumanity
and copies the parameters from the Honest userrequestId
of the malicious user will now be 1 less than the Honest usermsg.value
(he is able to do so since there is no need to pay the full deposit, rather, the user can just deposit wei value)humanityId
nor is the time expiredUser is able to do this for practically no value and can do so for every user that is in the process of claiming a humanity
Recommendation
Introduce a way to prevent this from happening, for example, setting a minimum
msg.value
that has to be used whenever callingclaimHumanity
.