bug: reportUser lacks authentication and duplicate-report protection enabling arbitrary blacklisting

[ayuxsh009]

Description

Problem

The reportUser function in UserSide.sol does not enforce any authentication or validation checks before incrementing report counts.

As a result, any arbitrary address — including unregistered or malicious accounts — can repeatedly call reportUser against any target user ID. Since the blacklist threshold is only >100, an attacker can automate 101 calls (or batch them in a loop) to instantly and permanently blacklist any doctor or patient in the system.

This breaks the integrity and availability of the platform by allowing unauthorized actors to remove legitimate users from participation.

Location

MedETH/foundry/src/UserSide.sol — reportUser function (~line 158)

Current Code

function reportUser(uint256 _userId) public {
    userIdtoReportUser[_userId]++;
    if (userIdtoReportUser[_userId] > 100) {
        userIdtoBlacklist[_userId] = true; 
    }
}

Impact

• Any address can blacklist any user
• No registration or verification required
• Duplicate reports from the same address are allowed
• Blacklisting can be triggered instantly through scripted calls
• Legitimate doctors and patients can be permanently denied access

Expected Behavior

• Only registered and verified users should be allowed to report others
• A user should only be able to report another user once
• Self-reporting should be prevented
• Optional rate limiting or moderation safeguards should exist before blacklisting