Wrong implementation of `OWPIdentity::burnBatchMultiple`
Summary
The [OWPIdentity::burnBatchMultiple](https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/OWPIdentity.sol#L59) is implemented wrongly since an address can have multiple IDs.
Vulnerability Details
First, let's take a look at mintBatch we can see that one address can mint alot of ids
with this information lets take a look at `burnBatchMultiple`
This function as we can observe it is used to burn IDs from multiple addresses at once unlike burnBatch that takes one address at a time. But the case is that this function implementation does not take into consideration one address can have more than one ID, As a result if one address has multiple IDs, it will only delete the specified one in the function parameter or it has to be duplicated in the address[] memory tos to match the number of Ids the user has which will also lead to high gas cost and maybe an out-of-gas revert if there alot of items in the array.
A correct implementation of burnBatchMultiple is (https://github.com/Cyfrin/2024-11-one-world/blob/1e872c7ab393c380010a507398d4b4caca1ae32b/contracts/dao/tokens/MembershipERC1155.sol#L91)
Note: This is a similar implementation not the same because this has a cap on the number of items, However it portrays the same idea.
Impact
Incorrect implementation of function
Tools Used
manual review
Recommendations
Revisit the implementation of burnBatchMultiple so that it can burn all IDs of multiple addresses. Make use of mappings to make the tracking of Ids to addresses easier.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.