Canto Identity Protocol contest - wait's results

Lines of code

https://github.com/code-423n4/2023-01-canto-identity/blob/dff8e74c54471f5f3b84c217848234d474477d82/src/AddressRegistry.sol#L62

Vulnerability details

Impact

The inability of AddressRegistry.sol#getCID() to return a valid value makes the AddressRegistry functionality meaningless. Other contracts that use the cid protocol will get the wrong data, which may produce various abnormal situations and may even lead to loss of funds.

Proof of Concept

Function AddressRegistry.sol#register requires the msg.sender to be the owner of the cid NFT.

function register(uint256 _cidNFTID) external {
    if (ERC721(cidNFT).ownerOf(_cidNFTID) != msg.sender)
        // We only guarantee that a CID NFT is owned by the user at the time of registration
        // ownerOf reverts if non-existing ID is provided
        revert NFTNotOwnedByUser(_cidNFTID, msg.sender);
    cidNFTs[msg.sender] = _cidNFTID;
    emit CIDNFTAdded(msg.sender, _cidNFTID);
}

Function AddressRegistry.sol#getCID() simply returns the state written during registration, which will be invalid if the nft's owner changes after registration.

function getCID(address _user) external view returns (uint256 cidNFTID) {
    cidNFTID = cidNFTs[_user];
}

Tools Used

Manual

Recommended Mitigation Steps

I recommend checking the owner of the cid NFT in getCID. If the user is no longer the owner of the cid NFT, return 0.