Severity
High — potential compliance / data-correctness issue.
Problem
swissTaxResidence is set to a hardcoded true literal in the registration submit:
lib/screens/kyc/steps/registration/kyc_registration_page.dart:221 — swissTaxResidence: true
No UI ever collects this value — there is no checkbox or toggle for it. The hardcoded true is then:
- included in the EIP-712 signature (
lib/packages/wallet/eip712_signer.dart — swissTaxResidence is part of the signed message), and
- sent in the request DTO (
RealUnitRegistrationRequestDto).
Effect
Every user — regardless of where they live — signs and submits "I am tax-resident in Switzerland". If the user sets their address country in step 2 to e.g. Germany, the registration envelope contains addressCountry = 'DE' together with swissTaxResidence = true — an internal contradiction inside a cryptographically signed payload.
Suggested fix
Either collect Swiss tax residence explicitly in the registration UI, or derive it deterministically (e.g. from addressCountry == CH). It must not be a hardcoded constant.
Context
Found during a deep audit of the KYC country/nationality data path (see #519).
Severity
High — potential compliance / data-correctness issue.
Problem
swissTaxResidenceis set to a hardcodedtrueliteral in the registration submit:lib/screens/kyc/steps/registration/kyc_registration_page.dart:221—swissTaxResidence: trueNo UI ever collects this value — there is no checkbox or toggle for it. The hardcoded
trueis then:lib/packages/wallet/eip712_signer.dart—swissTaxResidenceis part of the signed message), andRealUnitRegistrationRequestDto).Effect
Every user — regardless of where they live — signs and submits "I am tax-resident in Switzerland". If the user sets their address country in step 2 to e.g. Germany, the registration envelope contains
addressCountry = 'DE'together withswissTaxResidence = true— an internal contradiction inside a cryptographically signed payload.Suggested fix
Either collect Swiss tax residence explicitly in the registration UI, or derive it deterministically (e.g. from
addressCountry == CH). It must not be a hardcoded constant.Context
Found during a deep audit of the KYC country/nationality data path (see #519).