Improper Verification of Cryptographic Signature
| Property | |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-347: Improper Verification of Cryptographic Signature |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The function uses ECDSA.recover to validate signatures but does not protect against signature malleability, meaning the same message can have multiple valid signatures. This can allow attackers to generate alternative signatures that pass verification.
Impact#
An attacker could exploit this to bypass signature-based controls, replay actions, or manipulate logic that relies on unique signatures, potentially leading to unauthorized transactions, double-spending, or incorrect contract states.