57911 sc medium signature are malleable in signatureverifier sol

• Report ID: #57911

• Report Type: Smart Contract

• Report severity: Medium

• Target: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/utils/SignatureVerifier.sol

• Submitted on: Oct 29th 2025 at 12:38:02 UTC by @Bx4 for Audit Comp | Belong

Description

Brief / Intro

In SignatureVerifier.sol, the protocol does not implement checks to prevent signature malleability.

Vulnerability Details

SignatureVerifier.sol imports SignatureCheckerLib from Solady. That library uses its isValidSignatureNow implementation to verify signatures.

According to the Solady documentation, the imported library does not prevent malleability, and consumers must implement their own checks against malleability. The current implementation does not add such checks.

Malleability allows an existing signature to be manipulated and potentially reused.

Impact Details

Signature malleability can be abused by attackers for personal gains. The contract therefore fails to fully guarantee the integrity of verified signatures, even if no direct loss of funds occurs.

References

• https://github.com/belongnet/checkin-contracts/blob/22d92a3af433a1cf4d0aa758f872c887b2f33db8/contracts/v2/utils/SignatureVerifier.sol#L4

• https://github.com/belongnet/checkin-contracts/blob/22d92a3af433a1cf4d0aa758f872c887b2f33db8/contracts/v2/utils/SignatureVerifier.sol#L28

• Solady SignatureCheckerLib note: https://github.com/Vectorized/solady/blob/73f13dd1483707ef6b4d16cb0543570b7e1715a8/src/utils/SignatureCheckerLib.sol#L23

Proof of Concept