There seems to be some low-hanging fruit issues in Milestone 3 that should have been fixed before Milestone 4 funding was requested. When the platform goes into production, users should be engaging with a clean, fully functioning application. Launching marketing activities, in M4, without that readiness may reflect poorly on the product and on Rootstock.
To avoid any misunderstanding around expectations, I’m happy to have a call with you to walk-through the platform together and provide live support so you can make the necessary changes and hopefully get delegate support.
Feel free to send me a DM to schedule, if you would like. @Luis_VOTTUN
Update @Tane email issued fixed.
All users where place as spanish users by default. All users registered can change this in its profile and they should receve emails in English. For new users, this has been fixed.
Let´s continue
Thanks
Here are the latest updates in QuestHub following @Tane feedback:
Profile Management Improvements Besides translations fixed. The user profile module has been updated to allow users to edit and persist their personal data and profile images in real time. Previously, profile updates were only reflected after a new session was started; this behavior has now been fixed so that changes are applied immediately upon saving.
Enhanced Avatar ManagementThe avatar upload system has been refactored to support multiple stored profile images per user. Users now have access to a personal avatar gallery, allowing them to:
Select a previously uploaded image instead of uploading a new one
Delete unused avatars. This improves UX while maintaining consistency with existing identity and profile data structures.
We prepare these changes, besides the texts fixed,to improve both data consistency and user experience, and prepare the profile layer for future integrations that rely on persistent user identity and metadata.
Besides this latest update in UX we have been working in security too. I will prepare an additional update as it si long but worhty to share with the community.
As we continue improving our app, please provide us with any other feedback that you can have to solve initial user issues. Thanks!
We have working in fixing a security issue that was reported recently that could affect our app. We are happy to share the resolution as this could affect other projects and we are all togetehr in fighting bad actors.
Security Update – React & Next.js (Dec 2025)
**Status: Resolved and Secured **
We want to share a recent security update affecting projects built with React Server Components and Next.js, including lessons learned that may help other teams in the ecosystem.
What happened
In December 2025 , multiple critical vulnerabilities were disclosed in:
React 19.x
Next.js 15.x / early 16.x
These issues allowed:
Remote code execution (CVSS 10.0)
Denial of service
Potential source code exposure
Some of these vulnerabilities were actively exploited within hours of disclosure.
We suffer a real incident: attempted exploit (blocked)
We detected an attempted attack where a malicious executable was uploaded disguised as an image file.
The attack was successfully blocked thanks to existing security layers:
Files renamed with random UUIDs
Application isolated inside Docker containers
Basic upload validation already in place
No access to the system or infrastructure was gained.
** Mitigations applied immediately**
We upgraded all core dependencies to secure versions:
React / React-DOM →
Next.js →
And reinforced upload security:
Validation of file “magic bytes” (real file content, not extension)
Removal of dangerous file types (executables, compressed archives)
Advisory databases lag behind real-world exploitation
npm audit does not detect zero-day or actively exploited issues
Lesson: don’t rely on a single tool—monitor framework security channels directly.
Key takeaways for builders
Use defense in depth (multiple security layers)
Don’t trust file extensions or headers—validate real content
Containers help, but are not enough alone
Patch immediately when CVSS is critical and exploitation is active
Rotate secrets after any exposure window
** Current status**
Platform fully patched and redeployed
No breach, no data loss
Ongoing monitoring in place
We will publish a more detailed medium article with extended details for builders later this week. In any case, if someone is suffereing from this issue, let’s us know if we can help.
Quick update: @arcos (Sergi) and I spoke, and he’ll be revising the Mission copy. This includes refining the Mission and Quest descriptions to replace marketing language with more accurate, contextualized wording, as well as removing any remaining Spanish text.
Thanks for the update, @Luis_VOTTUN. We have confirmed the raised issues on the Profile page have been fixed. We believe it was a critical one and are glad to see this fixed after a quick turnaround.
We will wait for the final description updates according to the call with @arcos and @404Gov and conduct our final review. We are confident that the next proposal will have support from delegates including us, who has extensively reviewed the app and been against the past one before.
One question on this: this is a very understandable approach and we respect it but we would also like to understand your plan to automate those reviews as you are going to scale the app for many more users in the future.
With all this updates, we believ we are ready to push this project forward.
I´m submitting the proposal again. I hope this time will pass and we will get this into production.
Thanks to all for your feedback.
I hope you will support the new proposal.
Vottun Team
I decided to vote FOR this proposal. I reviewed the platform again and most of the requested changes have been implemented. While some notification alerts are still appearing in Spanish (see screenshot below), I don’t view this as a blocker.
Why