Signature Replay

A signature validated on one blockchain is replayed on a forked or parallel chain with identical contract addresses. This is a critical risk during network upgrades or hard forks (e.g., Ethereum Classic fork).

• Mechanism: The attacker obtains a signed message authorizing a transaction on Chain A.
• Attack: They submit the same signature to an identical contract on Chain B, where the authorization is still considered valid.
• Prevention: Include the chainId (EIP-155) in the signed message digest to bind the signature to a specific network.

A signature intended for one smart contract is reused to execute a function on a different contract, often within the same protocol or ecosystem.

• Mechanism: A user signs a message to permit Contract A to spend tokens. Contract A and Contract B use the same signature verification logic.
• Attack: An attacker takes the signature and submits it to Contract B, tricking it into executing a similar privileged action.
• Prevention: Incorporate the contract's own address (address(this)) into the signed message hash, creating a unique digest for each contract.

Certain signature schemes, like Ethereum's early personal_sign, are vulnerable to signature malleability, where the same signed digest can have multiple valid signature representations.

• Mechanism: The ECDSA (v, r, s) tuple can be transformed into a different, yet valid, (v', r, s') signature for the same message.
• Attack: A contract that only checks if a signature is valid, without recording which specific signature was used, can have the transformed signature replayed.
• Prevention: Use higher-level standards like EIP-712 for structured data, or implement a nonce system to record used signatures.

The most common vulnerability: signed messages (e.g., for token approvals or meta-transactions) lack a unique identifier or expiration, making them valid indefinitely.

• Example: A user signs "Approve 100 tokens to Bob." Bob can replay this signature daily to drain 100 tokens repeatedly.
• Critical Fixes:
  • Nonce: Include a sequentially incrementing number in the message. The contract must track used nonces.
  • Deadline: Include a timestamp (deadline or expiry) in the signed data, after which the signature is invalid.
• Standard: EIP-2612 (permit) for ERC-20 tokens mandates the use of a nonce and deadline.

In proxy contract architectures using delegatecall, the execution context (like msg.sender and address(this)) changes, which can break signature verification logic.

• Mechanism: A signature is verified in a logic contract. When called via a proxy's delegatecall, address(this) refers to the proxy's address, not the logic contract's.
• Vulnerability: If the signed message hash was computed using the logic contract's address, verification in the proxy context will fail, or worse, create a mismatch attackers could exploit.
• Prevention: Explicitly define and use a immutable, agreed-upon domain separator (as in EIP-712) that accounts for the proxy's address.

A robust signature scheme must incorporate multiple defenses to be replay-resistant.

• Always Include:
  • chainId: Binds signature to a specific network.
  • Nonce: A unique, incrementing identifier for each signer.
  • Deadline: A timestamp for signature expiration.
• Strongly Recommended:
  • Use EIP-712 for structured, human-readable signing.
  • Include verifying contract address (address(this)) in the digest.
  • For proxies, use a domain separator that is immutable and proxy-aware.
• Verification: Store used nonces and check deadlines in the contract state.

A nonce (number used once) is a unique, incrementing counter attached to an account or transaction. It is the most fundamental defense, ensuring each signature is tied to a specific transaction sequence.

• Account Nonce: In Ethereum, each account has a nonce that increments with every transaction, making replay impossible on the same chain.
• Transaction Nonce: Explicitly included in the signed data, guaranteeing uniqueness.

EIP-155 introduced the inclusion of the chain ID in the transaction signing process. This prevents a signature valid on one Ethereum network (e.g., Mainnet) from being replayed on another (e.g., a testnet or fork).

• How it works: The chain ID is encoded into the v component of the signature.
• Impact: Made cross-network replay attacks obsolete, a critical upgrade for network security.

Used for typed structured data signing, the EIP-712 domain separator creates a unique signing context for smart contracts. It includes the chain ID, verifying contract address, and other data.

• Prevents: Replay of a signature between different contracts or across different chains.
• Common Use: Secure signatures for permits in DeFi (e.g., ERC-20 permit function) and off-chain approvals.

Incorporating a deadline or expiry timestamp into the signed message limits its validity window. This is a time-based replay protection mechanism.

• Function: The signature is only valid if used before the specified block timestamp or Unix time.
• Application: Critical for meta-transactions, gasless transactions, and decentralized exchange orders to prevent stale signatures from being executed later.

Smart contracts can implement their own internal nonce or a user-provided salt for actions like creating contracts or executing specific functions.

• Contract-Counter Nonce: A mapping that tracks the number of times a user has performed an action.
• Unique Salt: A random value provided by the user, ensuring the hash of the transaction data is unique every time.
• Example: Used in CREATE2 for deterministic contract address generation and replay-safe multi-signature wallet executions.

During a blockchain fork, transactions can be replayed on both chains because they share a history. Projects implement specific fork replay protection.

• Opt-In Protection: Users may need to add a marker (e.g., OP_RETURN data in Bitcoin) to differentiate chains.
• Automatic Protection: Some forks change signature schemes or enforce different transaction formats from the genesis block.
• Historical Note: The Ethereum Classic fork initially suffered from replay attacks before implementing protective measures.

The fundamental flaw is that a signature is a cryptographic proof of approval for a specific message hash. If the signed data (e.g., transaction details) does not include unique, binding context, an attacker can replay it in a different but valid context. Common missing elements include:

• Chain ID: To prevent cross-chain replay.
• Nonce: To prevent replay on the same chain.
• Contract Address: To prevent reuse on a forked or duplicate contract.
• Deadline: To enforce a validity window.

Within a single chain/contract context, nonces are the primary mechanism to ensure one-time use of a signature. Each signed message or permit must include a unique, incrementing nonce.

• Account Nonce: In native transactions, the sender's transaction count prevents replay of the same transfer.
• Contract Nonce: Standards like EIP-2612 (Permit) for ERC-20 tokens mandate a user-specific nonce stored in the token contract. Once a signature with a given nonce is used, it can never be used again, even if all other parameters (amount, spender) are identical.

To prevent signature replay attacks, smart contract and dApp developers must implement a defense-in-depth approach:

• Always use EIP-712 for structured signing with a domain separator.
• Include a Chain ID in all signatures.
• Implement a Nonce System for stateful actions and ensure it's part of the signed message.
• Use Deadlines (deadline or expiry) to limit signature validity.
• Verify in Contract: The verifying contract must explicitly check all these parameters (e.g., block.chainid, nonces[owner], deadline > block.timestamp) before accepting a signature.

An attack where a signature valid on one blockchain network is maliciously reused on another network, often after a chain fork or on a bridged chain with identical address schemes. This exploits the fact that the same private key can control addresses on multiple chains.

• Example: After the Ethereum Classic (ETC) fork from Ethereum (ETH), signatures for transactions on one chain could be replayed on the other.
• Mitigation: Use EIP-155-style chain IDs or include a unique network identifier in the signed message to bind the signature to a specific domain.

Occurs when a signature authorizing an action for one smart contract is reused to execute the same action on a different, often upgraded or similar, contract. This is common in proxy upgrade patterns or factory-deployed contracts.

• Mechanism: A user signs a permit to spend tokens via Contract A. An attacker reuses that signature to call the same function on Contract B, which may have different logic or state.
• Prevention: Incorporate the contract's address (address(this)) into the signed data hash, creating a unique signature per contract.

A vulnerability where a system fails to properly track and validate nonces (numbers used once), allowing the same signed message to be executed multiple times. Unlike transaction nonces in Ethereum, message nonces for off-chain signatures must be managed by the contract.

• Failure Mode: A contract checks signature validity but does not store or check a nonce, allowing infinite replays of a permit or meta-transaction.
• Standard Solution: Implement a mapping (e.g., mapping(address => uint256) public nonces) and increment the nonce after each successful use, as seen in EIP-2612 (Permit) and EIP-712.

The 2016 attack on The DAO, while primarily an reentrancy exploit, was followed by a critical signature replay vulnerability during the rescue efforts. After the hard fork to return funds (creating ETH), attackers replayed the same withdrawal transactions on the unforked chain (ETC).

• Consequence: This allowed theft of ETC from the forked DAO contract, highlighting the dangers of identical transaction semantics across chains.
• Legacy: This event was a primary catalyst for the adoption of EIP-155, which added a chain ID to transaction signatures to prevent cross-chain replay.

Critical practices to identify and eliminate replay vulnerabilities before contract deployment.

• Testing: Use dedicated test suites that simulate cross-chain and cross-contract scenarios. Tools like Foundry and Hardhat can fork different networks to test replay resistance.
• Formal Verification: Use tools like Certora Prover or Runtime Verification to mathematically prove that a signature validated in one context (e.g., with a specific nonce and chain ID) cannot be valid in another.
• Audit Focus: Reputable smart contract audits always include a review of signature validation logic for replay flaws.