A publicly accessible GraphQL mutation named notify is exposed on the production endpoint https://galacticcouncil.squids.live/hydration-pools:prod/api/graphql.
This would allow attacker to push arbitrary notifications to users potentially resulting in phishing spam. While not directly critical, this could create a panic or misdirection of users. Albeit the vulnerable endpoint was not used in production, we would like to payout a good will reward as it was likely we would use it in the future with the bug present.
Proposed payout of 1000$ in HDX at ~0.01381 7d Average
After checking, this is a proposal initiated by the team.
But in order to improve the efficiency of proposal voting and urge identity authentication, I voted against it
There is a lot of room for optimization in identity authentication