This emergency proposal seeks immediate DAO approval to execute a critical upgrade on the NFID Wallet frontend and identity canisters. The upgrade patches a newly discovered vulnerability in the fallback authentication interface that lacks sufficient request rate-limiting, potentially exposing the application to brute-force attacks on user sessions and resource exhaustion.BackgroundNFID Wallet relies on a passkey-first authentication model, which is cryptographically secure against automated attacks. However, to ensure maximum accessibility, the application maintains alternative fallback login interfaces (such as email authentication). During a recent internal review of the authentication infrastructure, it was identified that these specific fallback login endpoints do not enforce strict rate limits at the canister level.Vulnerability DetailsThe absence of network-level request throttling on the alternative login interface creates a vector for high-frequency automated requests. Specifically:Login Interface Brute-Forcing: Malicious actors could theoretically spam the fallback authentication endpoints with continuous requests, attempting to brute-force session recovery tokens or overwhelm the identity canister.Cycles Exhaustion: A sustained automated attack targeting these specific URLs could rapidly deplete the identity canister's cycles, causing service degradation or complete denial of service for all users.While no user funds or passkey credentials have been compromised, leaving any login interface exposed to brute-force vectors poses an unacceptable security risk for a non-custodial, DAO-governed wallet.Proposed ActionIf adopted, this proposal will automatically execute a canister upgrade, deploying patched WebAssembly (Wasm) modules to the respective NFID canisters.The patch implements the following security measures:Strict Rate-Limiting: Enforces maximum request thresholds on all non-passkey login endpoints.Exponential Backoff: Introduces a mandatory time-delay mechanism for failed authentication attempts to mathematically neutralize brute-force capabilities.

This proposal was created using https://ic-toolkit.app

Proposal to transfer SNS Treasury funds:

Source treasury: ICP Treasury (ICP Ledger)

Amount: 15000.00000000 ICP

Amount (e8s): 1500000000000

Target principal: vdvfz-dom4i-wnr6s-6mtnu-q3r7p-eytp4-5qxod-l3f7k-roejt-x3mdm-7qe

Target account: vdvfz-dom4i-wnr6s-6mtnu-q3r7p-eytp4-5qxod-l3f7k-roejt-x3mdm-7qe

Memo: 0