Right now it's possible to create a C2T transaction to an account that doesn't exist and that transaction would be impossible to dispute.
If user creates and signs C2T transaction with ToPublicHash = keccak256(abi.encode(0)) that will create UserState with pubkeyID that isn't assigned to anyone. These funds will be available to the user with publicKey that will get this pubkeyID due to future account registration.
Right now it's possible to create a C2T transaction to an account that doesn't exist and that transaction would be impossible to dispute. If user creates and signs C2T transaction with
ToPublicHash = keccak256(abi.encode(0))that will create UserState with pubkeyID that isn't assigned to anyone. These funds will be available to the user with publicKey that will get this pubkeyID due to future account registration.I think that single if statement would fix this problem after this require. https://github.com/thehubbleproject/hubble-contracts/blob/c1d1f197ba9b68284cbc4ec145e286a4e84c0eaf/contracts/libs/Authenticity.sol#L177