Digital Signature Module

// Basic signature verification
function verify(
    bytes32 messageHash,
    bytes memory signature,
    address expectedSigner
) public pure returns (bool) {
    return recoverSigner(messageHash, signature) == expectedSigner;
}

// VULNERABLE: No replay protection
function claim(uint256 amount, bytes memory signature) public {
    bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));
    require(verify(hash, signature, signer), "Invalid signature");
    _mint(msg.sender, amount);  // Can be called multiple times!
}

// VULNERABLE: No chain ID in signature
function execute(address to, uint256 value, bytes memory signature) public {
    bytes32 hash = keccak256(abi.encodePacked(to, value));
    require(verify(hash, signature, owner), "Invalid signature");
    payable(to).transfer(value);
}

// VULNERABLE: Signatures never expire
function withdraw(uint256 amount, bytes memory signature) public {
    bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));
    require(verify(hash, signature, admin), "Invalid");
    // No nonce - signature is valid forever
    _transfer(address(this), msg.sender, amount);
}

// VULNERABLE: No malleability check
function verifySignature(bytes32 hash, uint8 v, bytes32 r, bytes32 s)
    public pure returns (address)
{
    return ecrecover(hash, v, r, s);  // Malleable!
}

// SAFE: Nonce prevents replay
mapping(address => uint256) public nonces;

function claim(uint256 amount, uint256 nonce, bytes memory signature) public {
    require(nonce == nonces[msg.sender], "Invalid nonce");

    bytes32 hash = keccak256(abi.encodePacked(
        msg.sender,
        amount,
        nonce,
        block.chainid,  // Chain-specific
        address(this)   // Contract-specific
    ));

    require(verify(hash, signature, signer), "Invalid signature");
    nonces[msg.sender]++;  // Increment nonce
    _mint(msg.sender, amount);
}

// SAFE: Structured, typed signing
bytes32 public constant CLAIM_TYPEHASH =
    keccak256("Claim(address recipient,uint256 amount,uint256 nonce)");

function claim(uint256 amount, uint256 nonce, bytes memory signature) public {
    bytes32 structHash = keccak256(abi.encode(
        CLAIM_TYPEHASH,
        msg.sender,
        amount,
        nonce
    ));

    bytes32 hash = _hashTypedDataV4(structHash);  // Includes domain separator
    address signer = ECDSA.recover(hash, signature);

    require(signer == authorizedSigner, "Invalid signature");
    require(nonce == nonces[msg.sender]++, "Invalid nonce");

    _mint(msg.sender, amount);
}

// SAFE: Using audited library
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

using ECDSA for bytes32;

function verify(bytes32 hash, bytes memory signature) public view returns (bool) {
    // Handles malleability, returns address(0) on failure
    return hash.toEthSignedMessageHash().recover(signature) == trustedSigner;
}

{
  "issues": [
    {
      "tag": "signature_replay",
      "severity": "high",
      "description": "Signature can be reused - no nonce or invalidation",
      "location": "claim(uint256,bytes)"
    },
    {
      "tag": "missing_chainid",
      "severity": "medium",
      "description": "Signature hash does not include chain ID",
      "location": "execute(address,uint256,bytes)"
    }
  ]
}