Quick Holographic Canary
Medium
The function createMarketWithConfigAdmin in ReputationMarket.sol
is missing a check for blocked accounts (!creationAllowedProfileIds[senderProfileId]
), which can be exploited to create a market even when the profile ID is blocked from doing so.
ReputationMarket::createMarketWithConfigAdmin
should revert if the user's profile is blacklisted from creating a market.
- The admin needs to call
ReputationMarket::createMarketWithConfigAdmin
, as this function is restricted to admin-level access.
No response
- The user's profile is blocked from creating a market.
- The admin is unaware that the
createMarketWithConfigAdmin
function is missing checks for blocked accounts. - The admin calls
createMarketWithConfigAdmin
with a blocked profile ID. - The market is created despite the user being blocked from creating a market.
Profiles blocked from creating markets can still bypass restrictions and create a market.
No response
No response