Transaction must include the confirm signatures for the inputs being spent. If the confirm signatures are only ever sent to the receivers of UTXO's then one can create a chain of "Sybil Transactions" and then exit multiple times.
Additionally, If someone is offline for an extended amount of time and the sender of one of their UTXO's has already successfully exited, nothing currently stops them from simply exiting their invalid UTXO as well.
Proposed changes to fix the vulnerability:
Include confirm signatures of inputs in transaction
Include ability to challenge exit by proving that its input has already successfully exited.
References vulnerability found here: https://ethresear.ch/t/plasma-vulnerabiltity-sybil-txs-drained-contract/1654
Transaction must include the confirm signatures for the inputs being spent. If the confirm signatures are only ever sent to the receivers of UTXO's then one can create a chain of "Sybil Transactions" and then exit multiple times. Additionally, If someone is offline for an extended amount of time and the sender of one of their UTXO's has already successfully exited, nothing currently stops them from simply exiting their invalid UTXO as well.
Proposed changes to fix the vulnerability:
Include confirm signatures of inputs in transaction
Include ability to challenge exit by proving that its input has already successfully exited.