Signature Replay Attack

The attack exploits a lack of uniqueness or context in the signed message. If a signature does not include a nonce, a chain identifier, or a specific deadline, it can be valid on multiple networks or for multiple transactions. The classic vulnerability is in functions like permit for ERC-20 approvals or in multi-step contract interactions where the same signed data can be submitted twice.

A signature created for a transaction on one blockchain (e.g., Ethereum Mainnet) can be replayed on a forked or compatible chain (e.g., Binance Smart Chain) if the signature's message does not include a chain ID. This was a significant risk during network forks. The EIP-155 standard, which includes the chain ID in transaction signing, was introduced to mitigate this specific vector for native transactions.

Even with EIP-155, replay attacks can occur at the smart contract application layer. Common scenarios include:

• ERC-2612 permit: Reusing a signature for the same token amount and deadline.
• Meta-Transactions: Replaying a signed meta-transaction request.
• Voting/Signing: Reusing a signature in a governance context. Mitigations involve incorporating nonces (e.g., permit uses the owner's nonce) and deadlines that make the signature invalid after a certain time.

Developers prevent replay attacks by ensuring signed data is unique and context-bound. Standard practices include:

• Incorporate a Nonce: A monotonically increasing number tied to the signer's account.
• Include Chain ID: Use block.chainid in the signed message hash.
• Use Deadlines: Make signatures expire with a timestamp.
• Use EIP-712: A standard for typed structured data hashing and signing that explicitly defines the domain (including chain ID) and message, reducing ambiguity.

The 2016 Ethereum hard fork that created Ethereum Classic (ETC) created a prime environment for cross-chain replay attacks. Transactions signed on the new Ethereum (ETH) chain were valid on the unforked ETC chain because the original signature scheme lacked a chain identifier. This led to users inadvertently repeating transactions (like token transfers) on both chains. This event directly motivated the implementation of EIP-155.

• EIP-712: Standard for typed structured data signing.
• EIP-2612: ERC-20 extension with permit function using signatures.
• Nonce: A number used once to ensure uniqueness.
• Meta-Transaction: A transaction where the fee is paid by a relayer, not the signer.
• Signature Malleability: A different but related vulnerability involving modifying a valid signature to create another valid one.

A classic replay vector occurs when a signed permit message for token approval is replayed across different chains or forks. The attack exploits the lack of a chain ID in the original EIP-2612 structured data. A signature valid on Ethereum Mainnet could be replayed on a fork (e.g., during the 2016 DAO fork) or a sidechain, allowing an attacker to drain allowances.

• Mechanism: The signed message contains owner, spender, value, deadline, but not a unique chain identifier.
• Mitigation: EIP-712 and later implementations mandate including the chainId and verifying contract address in the signed domain separator.

Bridges that use off-chain signatures for minting assets are prime targets. An attacker can intercept a valid signature authorizing a mint on Chain A and replay it on Chain B before it expires.

• Example: A user's signature to mint wrapped assets on Avalanche could be re-submitted to the bridge contract on Polygon.
• Root Cause: The signed message often lacked a destination chain identifier or a single-use nonce scoped across all connected chains.
• Solution: Implement a global, nonce-incrementing mechanism per user address across all bridge endpoints.

Smart contract factories using CREATE2 can be vulnerable if they accept signatures to deploy contracts with specific initialization code. An attacker can replay a successful deployment signature after the original contract has been selfdestructed, as CREATE2 generates the same address.

• Attack Flow: 1) User signs to deploy a contract. 2) Contract is deployed and later selfdestructs. 3) Attacker re-submits the same signature to redeploy a malicious contract at the same address, potentially hijacking expected interactions.
• Prevention: Include a salt in the signed message that is unique to the deployment transaction (e.g., a nonce).

Older multi-sig wallet implementations sometimes allowed signature reuse for separate transactions if the nonce wasn't properly managed. A signature authorizing Transaction A for amount X could be replayed to authorize Transaction B.

• Vulnerability: Storing signatures off-chain and submitting them later without binding them to a specific transaction hash and nonce.
• Modern Standard: Signatures must be over the precise EIP-712 typed data, which includes the wallet nonce, destination, value, and data, making each signature unique to a single transaction.

The primary defense is a robust, incrementing nonce. Different implementation patterns include:

• Sequential Nonce: A simple counter per user address (e.g., Ethereum's transaction nonce).
• Bitwise Nonce (Parallel): A bitmap where each bit represents a nonce position, allowing multiple pending signed messages without ordering constraints.
• Deadline/Timestamp: Including a deadline field in the signed message, making the signature invalid after a certain block timestamp.
• Chain ID & Domain Separator: Mandatory in EIP-712 to isolate signatures to a specific chain and contract.

EIP-712 (Typed Structured Data Hashing) is the canonical standard for preventing signature replay. It defines a domain separator that cryptographically binds a signature to a specific context.

Key components of the domain separator:

• name: The user-readable name of the signing contract.
• version: The version of the signing protocol.
• chainId: The EIP-155 chain ID (e.g., 1 for Ethereum Mainnet).
• verifyingContract: The address of the contract that will verify the signature.
• salt: A disambiguating salt (bytes32).

By hashing this data into the signature, a message signed for one contract on one chain cannot be replayed elsewhere.

A signature replay attack exploits the reuse of a valid cryptographic signature. The attack vector is:

• A user signs a message (e.g., a transaction approval) for a specific context.
• An attacker intercepts this signed message.
• The attacker re-submits the same signature in a different context (e.g., a second transaction, or on a forked chain).
• The verifying contract, lacking proper replay protection, accepts the signature as valid for the new, unauthorized action.

This occurs when a signature valid on one blockchain is replayed on another, often after a network fork (e.g., Ethereum/ETH and Ethereum Classic/ETC).

• Prevention: Include the chain ID (EIP-155) in the signed message. This binds the signature to a specific network, making it invalid on any other chain. Modern wallets and libraries like ethers.js and web3.js implement this by default for EIP-1559-type transactions.

The most common form, where a signature is replayed within the same contract or across multiple instances of the same contract.

• Prevention Mechanisms:
  • Nonces: Maintain a per-user incrementing counter (nonce) that is included in the signed hash. The contract must check and record the used nonce.
  • Deadlines: Include a timestamp (deadline or expiry) in the signed data, after which the signature is invalid.
  • Context-Specific Data: Hash unique contract state (like the contract's own address) into the signed message.

The Parity Multisig Wallet Hack (2017) involved a replay attack variant. A flaw in the library contract's initWallet function allowed an attacker to become the owner of any newly deployed wallet that used it.

• Root Cause: The initWallet function lacked proper state validation, allowing its initialization call to be replayed on already-initialized wallets.
• Impact: Over $30 million USD in Ether was frozen (not directly stolen) due to the library being killed, rendering dependent wallets inoperable. This highlights how replay vulnerabilities can have catastrophic, systemic consequences.

To prevent signature replay attacks, implement these checks in your signature-verifying functions:

• ✅ Include a Nonce: Use address => uint256 mapping to track and increment a user-specific nonce.
• ✅ Bind to Chain: Integrate block.chainid into your signed message hash (EIP-155 for txs, custom for off-chain sigs).
• ✅ Bind to Contract: Include address(this) in the signed data.
• ✅ Set a Deadline: Use a uint256 validUntil timestamp.
• ✅ Use EIP-712: For off-chain signatures, adopt the EIP-712 standard for maximum security and UX clarity.
• ❌ Never verify a signature without these context-binding parameters.

A nonce is a number used once. In blockchain transactions, it is a sequential counter attached to an account. It serves two critical security functions:

• Prevents transaction replay on the same chain: A transaction with a specific nonce can only be executed once.
• Ensures transaction ordering: The network processes transactions in strict nonce order, preventing double-spending from the same account.

The signature digest, or preimage, is the data that is actually signed by a user's private key. It is a cryptographic hash of the transaction data. For replay protection, this digest must include unique, chain-specific data like the chain ID and account nonce. If these fields are omitted, the resulting signature is generic and vulnerable to replay across different contexts.

Cross-chain bridges are frequent targets for sophisticated replay attacks. If a bridge's message-passing protocol does not implement robust replay protection (e.g., using unique nonces and destination chain identifiers), an attacker can intercept a valid signature authorizing an asset transfer and replay it to drain funds repeatedly. Several major bridge exploits have involved signature replay flaws.

Smart contracts must implement their own internal replay protection for functions that rely on off-chain signatures. Common patterns include:

• Mapping of used signatures: Storing a hash of a spent signature to prevent its reuse.
• Incrementing nonces per user: Maintaining a user-specific nonce within the contract state that must be included and validated in the signed message.
• Deadline timestamps: Making signatures expire after a certain block timestamp or height.