Currently, the profile_authority_add does not verify if an authority actually exists and is owned by the profile owner. They can literally add any valid Solana Public Key.
To fix this, the profile_authority_add should have a constraint or check that makes sure that the new_authority argument that is passed in exists in the profile.signers array and is verified by the community that's passed in as the community account on the profile_authority_add.
This will ensure that the user has access to the wallets they want to add as an authority.
Currently, the
profile_authority_adddoes not verify if an authority actually exists and is owned by the profile owner. They can literally add any valid Solana Public Key.To fix this, the
profile_authority_addshould have a constraint or check that makes sure that thenew_authorityargument that is passed in exists in theprofile.signersarray and is verified by the community that's passed in as thecommunityaccount on theprofile_authority_add.This will ensure that the user has access to the wallets they want to add as an
authority.