Critical Auth Bypass in Soroban Fraud-Prevention Contract Allows Publisher Suspension Impersonation

A critical authentication bypass vulnerability has been identified in the `flag_suspicious` function within the fraud-prevention module of a Soroban smart contract deployment. The flaw, documented in `contracts/fraud-prevention/src/lib.rs`, enables any external account to impersonate an authorized admin or oracle operator without possessing the corresponding cryptographic keys, effectively granting unauthorized actors the ability to suspend publishers at will.

The vulnerability stems from a fundamental misdesign in the authorization flow. Both `flag_suspicious` and the helper function `_require_admin_or_oracle` accept a `caller: Address` parameter but perform authorization checks only against stored administrative or oracle addresses. Crucially, neither function invokes `caller.require_auth()`, the standard Soroban mechanism for verifying that the transaction signer matches the claimed identity. An attacker need only supply a known oracle address as the `caller` argument to bypass the authorization gate entirely, regardless of whether they control that address's private key.

The practical consequences are significant. Malicious actors could systematically abuse the `flag_suspicious` mechanism to suspend legitimate publishers, disrupting protocol operations, causing reputational damage, or facilitating further attack vectors such as targeted censorship or economic disruption. The absence of cryptographic signer verification fundamentally undermines the trust model the contract attempts to enforce. Projects deploying this or similar code patterns face immediate exposure and should prioritize patching the authentication logic, implementing proper `require_auth()` calls, and auditing dependent systems for analogous flaws before any production deployment.