Skip to content

[Security] set_risk_tier has no access control — any address can overwrite any user's score #50

Description

@Shantanu112-bd

Problem

set_risk_tier has no authorization check. Any address can
overwrite any user's risk score, making the on-chain credit
score trivially manipulable.

Impact

  • Blocks mainnet deployment (v1.1 roadmap)
  • Downstream protocols cannot trust the score

Proposed Fix

  • Add initialize(admin) — sets a trusted admin address once
  • set_risk_tier now requires caller to be admin OR the user themselves
  • Full unit test coverage for all auth paths

I have a working fix with 22/22 tests passing. Happy to open a PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions