Malicious User Can Penalize Honest Vouchers Through Self-Challenge Exploit

[hats-bug-reporter]

Github username: --
Twitter username: --
Submission hash (on-chain): 0x2950958165d818b4c1f705ec40fe415edc0b71d2c7202e4080884b5481c2372e
Severity: medium

Description:

Vulnerability Detail

1. Create and Renew Humanity:

   • The malicious user creates a Humanity ID with their Ethereum address and later calls renewHumanity.
   • Honest users, seeing the Humanity ID as legitimate, and he is real human so will vouch for it.

2. Transfer Humanity:

   • User watches vouches , and After gaining enough vouches, the malicious user calls transferHumanity to move their Humanity ID to another address.

3. Advance Vouching Process:

   • The user calls advance state.

4. Self-Challenge:

   • The user then uses another address to challenge the Humanity ID they initially created, using a reason "duplicate identity." (the user is on X chain and wants to claim in the current chain as well)

5. Penalization of Honest Vouchers:

   • Upon winning the challenge, the honest users who vouched for the Humanity ID are penalised.

Recommendation

Implement checks to prevent users from transferring while they call renew humanity.

[clesaege]

Assuming that the profile is indeed a "duplicate identity", this is the expected behaviour. People should only vouch for people they trust (and "Trust is risk"). If you vouch for someone malicious, you risk losing your profile.