Cryptography
high severity
Signature Replay Attacks
Signature replay attacks occur when a valid signed message can be reused to execute the same action multiple times, or across different contracts or chains.
How It Works
If a contract verifies signatures without including a nonce, contract address, or chain ID, an attacker can replay a previously signed message to execute unauthorized transactions repeatedly.
Real-World Examples
Wintermute (Optimism)
2022
$20M
A signature replay issue related to multi-chain deployment allowed unauthorized access to OP tokens on Optimism.
Code Examples
Vulnerable Code
// VULNERABLE: No nonce or domain separator
function executeWithSig(address to, uint256 amount, bytes memory sig) external {
bytes32 hash = keccak256(abi.encodePacked(to, amount));
address signer = ECDSA.recover(hash, sig);
require(signer == owner, "Invalid");
// Same signature can be replayed!
token.transfer(to, amount);
}Secure Code
// FIXED: EIP-712 with nonce and domain separator
function executeWithSig(address to, uint256 amount, uint256 nonce, bytes memory sig) external {
require(nonce == nonces[owner]++, "Invalid nonce");
bytes32 structHash = keccak256(abi.encode(EXECUTE_TYPEHASH, to, amount, nonce));
bytes32 digest = _hashTypedDataV4(structHash);
address signer = ECDSA.recover(digest, sig);
require(signer == owner, "Invalid");
token.transfer(to, amount);
}Prevention
- Include nonces to prevent replay within the same contract
- Use EIP-712 typed structured data with domain separator (includes chain ID and contract address)
- Include deadline/expiry timestamps in signed messages
- Mark signatures as used after execution
Related Vulnerabilities
Scan Your Contract for Signature Replay Attacks
Our AI-powered auditor automatically detects signature replay attacks and 20+ other vulnerability types. Get a detailed report in minutes.