Description:Description\
There is a potential exploit in the ProofOfHumanity contract that allows a malicious actor to create a humanity request without depositing any amount, have the request crowdfunded by others, and then withdraw the request to claim the funds. This exploit arises due to the lack of a minimum deposit requirement when creating a humanity request and the ability to withdraw the request while it is still in the Vouching state.
Attack Scenario\
Creating Humanity Without Deposit:
The claimHumanity function allows a user to create a humanity request.
Internally, it calls the _requestHumanity function, which does not enforce a minimum deposit requirement.
As a result, a malicious actor can create a humanity request with msg.value set to zero.
3. Withdrawing the Request:
* The withdrawRequest function allows the requester to withdraw the request if it is in the Vouching state.
* This function deletes the request count, sets the request status to Resolved, and calls withdrawFeesAndRewards to withdraw the fees and rewards to the requester.
```solidity
function withdrawRequest() external {
bytes20 humanityId = accountHumanity[msg.sender];
Humanity storage humanity = humanityData[humanityId];
uint256 requestId = humanity.requestCount[msg.sender] - 1;
Request storage request = humanity.requests[requestId];
require(request.status == Status.Vouching);
delete humanity.requestCount[msg.sender];
request.status = Status.Resolved;
withdrawFeesAndRewards(payable(msg.sender), humanityId, requestId, 0, 0);
emit RequestWithdrawn(humanityId, requestId);
}
Attachments
Proof of Concept (PoC) File
Step 1: Malicious actor calls claimHumanity with msg.value set to zero.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x2417167ee47301faee01ca53707bf93627f82bcd486a2f5113d455f08f409ee6 Severity: high
Description: Description\ There is a potential exploit in the ProofOfHumanity contract that allows a malicious actor to create a humanity request without depositing any amount, have the request crowdfunded by others, and then withdraw the request to claim the funds. This exploit arises due to the lack of a minimum deposit requirement when creating a humanity request and the ability to withdraw the request while it is still in the Vouching state.
Attack Scenario\
claimHumanity
function allows a user to create a humanity request._requestHumanity
function, which does not enforce a minimum deposit requirement.As a result, a malicious actor can create a humanity request with msg.value set to zero.
This function checks if the request is in the Vouching state and then calls _contribute to handle the deposit.
Attachments
Step 1: Malicious actor calls claimHumanity with msg.value set to zero.
Step 2: Crowd funds the request by calling fundRequest.
Step 3: Malicious actor calls withdrawRequest to withdraw the request and claim the funds.