User can spam humanity claims for any user

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x2aedaf1f6e8d30228e7d9e5402075b6db22f7f764527cd1b4132e387a554429b Severity: medium

Description:

Description

claimHumanity allows for a user to enter the registry, note that there is no need to pay the full deposit right away, this is also stated inside the commentary:

    function claimHumanity(bytes20 _humanityId, string calldata _evidence, string calldata _name) external payable {
        Humanity storage humanity = humanityData[_humanityId];

        require(_humanityId != 0);
        require(!isHuman(msg.sender));
        require(humanity.owner == address(0x0) || humanity.expirationTime < block.timestamp);

        uint256 requestId = _requestHumanity(_humanityId);

        emit ClaimRequest(msg.sender, _humanityId, requestId, _name);
        emit Evidence(
            arbitratorDataHistory[arbitratorDataHistory.length - 1].arbitrator,
            uint256(keccak256(abi.encodePacked(_humanityId, requestId))),
            msg.sender,
            _evidence
        );
    }

Inside this function _evidence is taken and later emitted to prove that the _humanityId belongs to the caller of this function. Furthermore, the function retrieves the requestId this ensures that this function can only be called once by the caller.

The problem however is that a malicious user is able to spam claimHumanity for a _humanityId:

• Honest user calls claimHumanity
• Malicious user calls claimHumanity and copies the parameters from the Honest user
• requestId of the malicious user will now be 1 less than the Honest user
• Also providing a tiny msg.value (he is able to do so since there is no need to pay the full deposit, rather, the user can just deposit wei value)
• Checks will be performed, which will all be passed as long as the user does not own a humanityId nor is the time expired
• User can do this countless of times for all users that are in the process of claiming their humanity.
• This will cause for confusion whenever verifying the real claim

User is able to do this for practically no value and can do so for every user that is in the process of claiming a humanity

Recommendation

Introduce a way to prevent this from happening, for example, setting a minimum msg.value that has to be used whenever calling claimHumanity.

[clesaege]

Requests made without a deposit wouldn't be looked at by potential challengers as they can filter in order to only see requests that are at a particular stage.

When making the video, it is necessary to include your address particularly for this purpose (prevent someone from copying your request). The challengers would then see that the address doesn't match and challenge.

As per guidelines are excluded: Issues about challengers missing some invalid profile submissions/removals (for the purpose of this review, we will assume challengers are perfect and omniscient and that they always challenge invalid actions before the deadline).