Critical API Authorization Flaw: Settlement Status Endpoint Exposes User Settlements to Unrestricted Modification

A critical Broken Object Level Authorization vulnerability has been identified in the settlement status update endpoint of the platform's API, potentially allowing any authenticated user to modify any other user's fiat off-ramp settlement without authorization. The flaw resides in `PATCH /api/v1/settlements/{id}/status`, where the handler correctly enforces JWT authentication but fails entirely to verify that the authenticated user actually owns the settlement being modified.

The vulnerability exists in `apps/api/internal/handler/settlement_handler.go`. When processing status update requests, the handler extracts the settlement UUID from the URL, validates the caller's JWT token, but never confirms that the `user_id` field on the target settlement record corresponds to the identity claims embedded in the JWT. An attacker with a valid wallet account can therefore craft requests targeting arbitrary settlement UUIDs belonging to other users, updating status values at will. The issue has been classified as a BOLA/IDOR vulnerability—the most prevalent and highest-impact category in the OWASP API Security Top 10—meaning it stems from a systemic failure to enforce object-level access controls.

The exposure is narrowly scoped to settlement status fields and requires an authenticated account, which limits the practical attack surface compared to fully unauthenticated flaws. However, the ability for any wallet holder to manipulate another user's settlement records raises concerns around transaction integrity, potential fraud, and regulatory compliance for off-ramp operations. The vulnerability is awaiting remediation, with authorization logic expected to be introduced into the handler to validate settlement ownership before any status modification is permitted.