Signature Replay Attacks in Solidity: How a Valid-Looking Contract Can Drain Funds
Signature replay attacks are a subtle but dangerous vulnerability in Solidity smart contracts where a valid off-chain signature can be reused multiple times unless explicitly prevented. The core flaw occurs when a contract verifies a signature and recovers the correct signer but includes no mechanism to mark that signature as already used. A nonce-based fix resolves single-contract replay, but deploying the same contract across multiple chains like Base and Arbitrum introduces cross-chain replay risk if the signed hash omits the chain ID and contract address. EIP-712 domain separators bind signatures to a specific chain and contract, closing that gap. A third, harder-to-detect variant arises when nonces are reset, inadvertently reactivating previously used signatures and bypassing the protection entirely.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in