Exploit Allows Malicious Actors to Withdraw Crowdfunded Deposits Without Initial Contribution in ProofOfHumanity

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x2417167ee47301faee01ca53707bf93627f82bcd486a2f5113d455f08f409ee6 Severity: high

Description: Description\ There is a potential exploit in the ProofOfHumanity contract that allows a malicious actor to create a humanity request without depositing any amount, have the request crowdfunded by others, and then withdraw the request to claim the funds. This exploit arises due to the lack of a minimum deposit requirement when creating a humanity request and the ability to withdraw the request while it is still in the Vouching state.

Attack Scenario\

1. Creating Humanity Without Deposit:

• The claimHumanity function allows a user to create a humanity request.
• Internally, it calls the _requestHumanity function, which does not enforce a minimum deposit requirement.

• As a result, a malicious actor can create a humanity request with msg.value set to zero.

  function claimHumanity(bytes20 _humanityId, string calldata _evidence, string calldata _name) external payable {
  Humanity storage humanity = humanityData[_humanityId];
  
  require(_humanityId != 0);
  require(!isHuman(msg.sender));
  require(humanity.owner == address(0x0) || humanity.expirationTime < block.timestamp);
  
  uint256 requestId = _requestHumanity(_humanityId);
  
  emit ClaimRequest(msg.sender, _humanityId, requestId, _name);
  emit Evidence(
      arbitratorDataHistory[arbitratorDataHistory.length - 1].arbitrator,
      uint256(keccak256(abi.encodePacked(_humanityId, requestId))),
      msg.sender,
      _evidence
  );
  }

  function _requestHumanity(bytes20 _humanityId) internal returns (uint256 requestId) {
  require(humanityData[accountHumanity[msg.sender]].requestCount[msg.sender] == 0);
  
  Humanity storage humanity = humanityData[_humanityId];
  
  requestId = humanity.requests.length;
  
  Request storage request = humanity.requests.push();
  request.requester = payable(msg.sender);
  
  uint256 arbitratorDataId = arbitratorDataHistory.length - 1;
  request.arbitratorDataId = uint16(arbitratorDataId);
  
  humanity.requestCount[msg.sender] = requestId + 1;
  accountHumanity[msg.sender] = _humanityId;
  
  ArbitratorData memory arbitratorData = arbitratorDataHistory[arbitratorDataId];
  uint256 totalCost = arbitratorData.arbitrator.arbitrationCost(arbitratorData.arbitratorExtraData).addCap(
      requestBaseDeposit
  );
  _contribute(_humanityId, requestId, 0, 0, Party.Requester, totalCost);
  }

  2. Crowdfunding:
• The fundRequest function allows others to contribute to the request's deposit.

• This function checks if the request is in the Vouching state and then calls _contribute to handle the deposit.

  
  function fundRequest(bytes20 _humanityId, uint256 _requestId) external payable {
  Request storage request = humanityData[_humanityId].requests[_requestId];
  require(request.status == Status.Vouching);
  
  ArbitratorData memory arbitratorData = arbitratorDataHistory[request.arbitratorDataId];
  uint256 totalCost = arbitratorData.arbitrator.arbitrationCost(arbitratorData.arbitratorExtraData).addCap(
      requestBaseDeposit
  );
  
  _contribute(_humanityId, _requestId, 0, 0, Party.Requester, totalCost);
  }

3. Withdrawing the Request:

* The withdrawRequest function allows the requester to withdraw the request if it is in the Vouching state.
* This function deletes the request count, sets the request status to Resolved, and calls withdrawFeesAndRewards to withdraw the fees and rewards to the requester.
```solidity
function withdrawRequest() external {
    bytes20 humanityId = accountHumanity[msg.sender];
    Humanity storage humanity = humanityData[humanityId];
    uint256 requestId = humanity.requestCount[msg.sender] - 1;
    Request storage request = humanity.requests[requestId];
    require(request.status == Status.Vouching);

    delete humanity.requestCount[msg.sender];
    request.status = Status.Resolved;

    withdrawFeesAndRewards(payable(msg.sender), humanityId, requestId, 0, 0);

    emit RequestWithdrawn(humanityId, requestId);
}

Attachments

1. Proof of Concept (PoC) File

Step 1: Malicious actor calls claimHumanity with msg.value set to zero.

claimHumanity(0x1234567890abcdef1234567890abcdef12345678, "evidence_link", "Malicious Actor");

Step 2: Crowd funds the request by calling fundRequest.

fundRequest(0x1234567890abcdef1234567890abcdef12345678, 0);

Step 3: Malicious actor calls withdrawRequest to withdraw the request and claim the funds.

withdrawRequest();

2. Revised Code File (Optional)

[clesaege]

Similar to https://github.com/hats-finance/Proof-Of-Humanity-V2-0xef0709445d394a22704850c772a28a863bb780b0/issues/15