From dbfef374d2f0117def275c556a0d6d517bc303c9 Mon Sep 17 00:00:00 2001
From: Jimmy Debe <91767824+jimstir@users.noreply.github.com>
Date: Wed, 28 May 2025 17:05:21 -0400
Subject: [PATCH] Update rln-contract.md

---
 standards/core/rln-contract.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/standards/core/rln-contract.md b/standards/core/rln-contract.md
index 1410022..5cc65cc 100644
--- a/standards/core/rln-contract.md
+++ b/standards/core/rln-contract.md
@@ -53,6 +53,8 @@ Membership registration MAY be initiated by a different entity from the one that
 which is associated with the respective RLN `identity_commitment`.
 Therefore, the holder role MAY be assigned to a blockchain address that is not derived from the `identity_secret`.
 The contract SHOULD verify that the `identity_commitment` is valid.
+If the `identity_commitment` is not checked or validated,
+the contract MAY be exploited using malicious or malformed inputs.
 When authorizing membership-related requests,
 the contract MUST distinguish between the holder and non-holders,
 and MAY also implement additional criteria.