search
Active Boosts

57373 sc medium signature replay vulnerability due to missing nonce and deadline checks

Submitted on Oct 25th 2025 at 16:04:58 UTC by @TECHFUND_inc for Audit Comp | Belongarrow-up-right

  • Report ID: #57373

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/utils/SignatureVerifier.sol

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

hashtag
Description

hashtag
Brief/Intro

The protocol verifies signatures without nonces, allowing attackers to replay valid signatures. It also lacks deadline mechanisms, creating replay vulnerabilities.

Example (also present in checkCustomerInfo()):

    function checkVenueInfo(
        address signer,
        VenueInfo calldata venueInfo
    ) external view {
       //@> Nonce and deadline parameretrs are missing
        require(
            signer.isValidSignatureNow(
                keccak256(
                    abi.encodePacked(
                        venueInfo.venue,
                        venueInfo.referralCode,
                        venueInfo.uri,
                        block.chainid
                    )
                ),
                venueInfo.signature
            ),
            InvalidSignature()
        );
    }

hashtag
Vulnerability Details

The SignatureVerifier library lacks nonce or timestamp (deadline) checks, allowing signatures to be replayed on the same chain. The same valid signature can be reused multiple times. For example, a venue deposit signature can be replayed to force multiple deposits, or a customer payment signature can be replayed to make duplicate payments.

hashtag
Impact Details

Attackers can replay valid signatures to force venue creators and venue customers to make multiple deposits, draining their funds.

hashtag
Mitigation

Consider implementing nonce and deadline checks in SignatureVerifier functions. Example implementation pattern:

(Keep in mind to adapt naming, typings and storage layout to the actual contract code. The above is a conceptual example showing inclusion of nonce and deadline and incrementing nonce after successful verification.)

hashtag
Proof of Concept

1

hashtag
Setup: add attacker to fixture

Add an attacker address to the test fixture:

2

hashtag
Attack POC test

Add the following test and run:

yarn hardhat test test/v2/platform/belong-check-in.test.ts --grep "Attack POC"

3

hashtag
Observed logs

chevron-rightTest run logshashtag

hashtag
Notes

  • Do not change the semantics of the verification logic beyond adding nonce and deadline checks; ensure signatures include any newly required fields (nonce, deadline) in the signed payload so that off-chain signers produce signatures that bind to these fields.

  • When adding nonces, choose appropriate granularity for the nonce key (per-user/per-venue/per-customer) based on intended guarantees.

  • Consider using EIP-712 typed structured data for signing to avoid issues with abi.encodePacked collisions and improve clarity.

Previous57902 sc insight erc1155base re mint overwrites token uri allowing post issuance nft alteration griefingNext56863 sc critical first depositor advantage

Was this helpful?