[SEC-F21] Anonymous principal has an account
krpeacock opened this issue · 0 comments
krpeacock commented
Observation
For example, an invoice could be created using the anonymous principal as caller.
Risk Description
This is unintended behaviour, especially since this does not come with any security guarantees since everyone can act as the anonymous caller
If a seller does this by accident (e.g. by forgetting to set an identity in the client), their funds can be stolen.
Recommendations
- disallow the anonymous principal
- See best practices here.