Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
GET /v1/contributors/:login/profile and the gittensory_get_contributor_profile MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor's profile; for confirmed Gittensor miners that exposes alphaPerDay, taoPerDay, usdPerDay (and the hotkey on the REST path). Authenticated cross-contributor disclosure, CWE-284 / IDOR.