All contracts, except type beacon poll and vote can be deleted, and re-issued if they were deleted, without the knowledge of private key. The "Action" <MA> field can be either "A" for add or "D" for delete, but this information is not signed. So the whole contract can be copied, A replaced for D and sent again. Yes, most contracts are signed with key-par, which private key is public in the code (go figure).
This would be a critical vulnerability, if one could Delete a whitelisted Project such as Rosetta, without knowledge of the Private Key that our admin (Quez) holds. According to the description above, the attacker could Delete the Rosetta project in testnet or Prod.
I assert that you cannot delete Rosetta, as the private key is not in the code. The private key in the code is for Voting (yet voting now requires the public key in the code plus the users beacon signature).
Please test in testnet and confirm this issue should be closed.
Erkan, please do more due diligence before spreading misinformation in order to profit off of it.
This is fixed in Fern.
Most helpful comment
This would be a critical vulnerability, if one could Delete a whitelisted Project such as Rosetta, without knowledge of the Private Key that our admin (Quez) holds. According to the description above, the attacker could Delete the Rosetta project in testnet or Prod.
I assert that you cannot delete Rosetta, as the private key is not in the code. The private key in the code is for Voting (yet voting now requires the public key in the code plus the users beacon signature).
Please test in testnet and confirm this issue should be closed.
Erkan, please do more due diligence before spreading misinformation in order to profit off of it.