Skip to main content

Overview

The Digital Signature Module analyzes how contracts handle cryptographic signatures, detecting vulnerabilities that could allow signature replay attacks, forgery, or unauthorized access.

What Are Digital Signatures?

Digital signatures in blockchain provide:
  • Authentication: Proof that a message came from a specific address
  • Integrity: Assurance the message hasn’t been altered
  • Non-repudiation: Signer cannot deny signing

Common Vulnerabilities

Signature Replay Attack

Using the same signature multiple times.
Attack: User claims rewards repeatedly with the same signature.

Cross-Chain Replay

Signature valid on multiple chains.
Attack: Signature from mainnet replayed on testnet or L2.

Missing Nonce

No mechanism to invalidate old signatures.

Signature Malleability

ECDSA signatures can be modified while remaining valid.

Safe Patterns

Nonce-Based Replay Protection

EIP-712 Typed Data

OpenZeppelin ECDSA

Detection Tags

API Response Example

Best Practices

  • Include nonce in all signed messages
  • Include block.chainid to prevent cross-chain replay
  • Include contract address to prevent cross-contract replay
  • Use EIP-712 for structured, typed signing
  • Use OpenZeppelin’s ECDSA library
  • Mark used signatures/nonces as consumed
  • Consider signature expiration timestamps