You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When pg deploy errors out, the CLI exposes internal sudo URLs (https://sudo.personhood.dev/personhood-faucet and https://sudo.personhood.dev/dotns-bootstrap) directly to the end user. Auditor flagged this as a security/UX issue — those are internal bootstrap endpoints not intended for public consumption.
Per audit Appendix CLI screenshots: "sudo.personhood.dev doesn't look like a place to visit for regular users."
with a signer that's not yet ProofOfPersonhoodFull. Observe the error message includes the two sudo URLs.
Recommended fix / next steps
Stop surfacing internal sudo URLs to end users. The PoP-bootstrap recipe should be wrapped in CLI commands or hidden behind official tooling.
Replace the error with a user-friendly message: "Your account needs full Proof-of-Personhood to deploy. Open the Polkadot mobile app and complete attestation." Optionally automate via playground bootstrap command.
Severity: P0
Reported by: DevEx Audit External
Source: DevEx Audit (External), 3 June 2026
Symptom
When
pg deployerrors out, the CLI exposes internal sudo URLs (https://sudo.personhood.dev/personhood-faucetandhttps://sudo.personhood.dev/dotns-bootstrap) directly to the end user. Auditor flagged this as a security/UX issue — those are internal bootstrap endpoints not intended for public consumption.Per audit Appendix CLI screenshots: "sudo.personhood.dev doesn't look like a place to visit for regular users."
Reproduction
with a signer that's not yet ProofOfPersonhoodFull. Observe the error message includes the two sudo URLs.
Recommended fix / next steps
playground bootstrapcommand.