User might claim less Circle token than expected #108

hats-bug-reporter · 2024-09-16T04:08:33Z

Github username: --
Twitter username: --
Submission hash (on-chain): 0x0bf0da4bc3b2d481be3ca1f4f021cf4e4c1baeb1f9af6d2e2c912c981c7fc7e6
Severity: medium

Description:
Description\

At timestamp T0, when registering a user by Hub.registerHuman, a human can register by someone inviting
Suppose the _human is also registerred in HubV1 contract, but not stopped, in such case, in mintTime.mintV1Status in Hub.sol#L981 will be address of the Circles contract(not CIRCLES_STOPPED_V1).
After some time, _human calls HubV1.stop to stop the Circle contract for HubV1
At timestamp T1, when Hub._checkHumanV1CirclesStatus is called by Hub.personalMint or Hub.calculateIssuanceWithCheck, in Hub.sol#L1068, because the mintTimes[_human].mintV1Status is not CIRCLES_STOPPED_V1, _updateMintV1Status will be called,

Attack Scenario
As described above, if _human doesn't call HubV1.stop to stop the Circle contract for HubV1 in step3, he will get Circle between timestamp T1 and T0.
But if he calls HubV1.stop, he won't get any Circle

The text was updated successfully, but these errors were encountered:

hats-bug-reporter bot added the bug Something isn't working label Sep 16, 2024

benjaminbollen added duplicate This issue or pull request already exists invalid This doesn't seem right labels Sep 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User might claim less Circle token than expected #108

User might claim less Circle token than expected #108

hats-bug-reporter bot commented Sep 16, 2024

User might claim less Circle token than expected #108

User might claim less Circle token than expected #108

Comments

hats-bug-reporter bot commented Sep 16, 2024