Can you not identify a user based on the particular PSTs a user has

Question

Can you not identify a user based on the particular PSTs a user has

naturedamends opened this issue 7 months ago · 1 comments

Ie by using the number of issuers that a user has PSTs for .

To prevent, you could limit the number of requests to access a PST on a redeemer website, after a single issuers PST has been found, no more request for PSTs from other issuers

Answer 1 · 2024-01-17T15:34:13.000Z

This is currently mitigated by limiting redemption attempts on a site to two issuers, regardless of whether there are tokens available from that issuer. You need to count an issuer against the limit even if there aren't tokens available as otherwise the site could iterate through all issuers until it hits a positive match.