signature-replay-analysis
Detects signature replay vulnerabilities in smart contracts — affecting 19.63% of signature-using contracts. Covers five replay types (same-chain, cross-chain, cross-contract, nonce-skip, expired-signature), EIP-712 domain separator verification, nonce management analysis, ecrecover edge cases (address(0), malleability, s-value), permit/permit2 safety, ERC-1271 contract wallet support, and meta-transaction security. Use when auditing contracts with ecrecover, ECDSA, EIP-712, permit, meta-transactions, multi-sig, or any off-chain signature verification.
git clone --depth 1 https://github.com/quillai-network/quillshield_skills /tmp/signature-replay-analysis && cp -r /tmp/signature-replay-analysis/plugins/signature-replay-analysis/skills/signature-replay-analysis ~/.claude/skills/signature-replay-analysisSKILL.md
# Signature & Replay Analysis
Detect vulnerabilities where **cryptographic signatures can be reused**, replayed across chains/contracts, or exploited through implementation flaws. Research shows 19.63% of Ethereum contracts using signatures contain replay vulnerabilities.
## When to Use
- Auditing contracts that verify signatures (`ecrecover`, ECDSA, EIP-712)
- Reviewing ERC-20 `permit()` / Uniswap Permit2 implementations
- Analyzing meta-transaction / gasless relay systems
- Verifying multi-sig signature aggregation
- Checking off-chain order books or signed message execution
## When NOT to Use
- Contracts without any signature verification
- Pure on-chain access control (use semantic-guard-analysis)
- Token standard compliance (use external-call-safety)
## Core Concept: The Signature Trust Model
A signature proves that a specific private key holder authorized a specific action. For this to be secure, the signature must be:
1. **Bound to context** — specific chain, contract, and version (domain separation)
2. **Used exactly once** — nonce prevents replay
3. **Time-limited** — deadline/expiry prevents late execution
4. **Correctly verified** — ecrecover edge cases handled
Any gap in this model creates a replay vulnerability.
## The Five Replay Types
### Type 1: Same-Chain Replay
The exact same signature is submitted multiple times to the same contract on the same chain.
```solidity
// VULNERABLE: No nonce — same signature works forever
function executeWithSig(address to, uint256 amount, bytes memory signature) external {
bytes32 hash = keccak256(abi.encodePacked(to, amount));
address signer = ECDSA.recover(hash, signature);
require(signer == admin, "Invalid signer");
token.transfer(to, amount);
// Attacker can submit this same signature again and again!
}
// SAFE: Use nonce
mapping(address => uint256) public nonces;
function executeWithSig(address to, uint256 amount, uint256 nonce, bytes memory signature) external {
require(nonce == nonces[admin], "Invalid nonce");
bytes32 hash = keccak256(abi.encodePacked(to, amount, nonce));
address signer = ECDSA.recover(hash, signature);
require(signer == admin, "Invalid signer");
nonces[admin]++;
token.transfer(to, amount);
}
```
### Type 2: Cross-Chain Replay
A signature valid on one chain (e.g., Ethereum) is replayed on another chain (e.g., Polygon, Arbitrum) where the same contract is deployed.
```solidity
// VULNERABLE: No chainId in signed message
bytes32 hash = keccak256(abi.encodePacked(to, amount, nonce));
// This hash is identical on Ethereum, Polygon, Arbitrum, etc.
// SAFE: Include chainId (via EIP-712 domain separator)
bytes32 DOMAIN_SEPARATOR = keccak256(abi.encode(
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
keccak256(bytes("MyContract")),
keccak256(bytes("1")),
block.chainid,
address(this)
));
```
### Type 3: Cross-Contract Replay
A signature for Contract A is replayed on Contract B (same chain) if both accept the same message format without contract-specific binding.
```solidity
// VULNERABLE: No contract address in signed message
bytes32 hash = keccak256(abi.encodePacked(to, amount, nonce, block.chainid));
// Same hash for any contract on this chain
// SAFE: Include verifyingContract (via EIP-712)
// The domain separator includes address(this), binding to this specific contract
```
### Type 4: Nonce-Skip Replay
Nonce implementation allows gaps or out-of-order execution, enabling skipped nonces to be replayed later.
```solidity
// VULNERABLE: Bitmap nonce without invalidation
mapping(uint256 => bool) public usedNonces;
function execute(uint256 nonce, ...) external {
require(!usedNonces[nonce], "Used");
usedNonces[nonce] = true;
// If nonces 1, 2, 3 are used but 4 is skipped,
// nonce 4 can be used anytime in the future
// This may be intentional OR a vulnerability depending on context
}
// SAFER for strict ordering: Sequential nonce
mapping(address => uint256) public nonces;
function execute(uint256 nonce, ...) external {
require(nonce == nonces[signer], "Invalid nonce");
nonces[signer]++;
}
```
### Type 5: Expired-Signature Replay
A signature without a deadline can be held and executed at an arbitrary future time when conditions have changed.
```solidity
// VULNERABLE: No deadline — signature valid forever
function permit(address owner, address spender, uint256 value, uint8 v, bytes32 r, bytes32 s) external {
bytes32 hash = keccak256(abi.encodePacked(owner, spender, value, nonces[owner]++));
require(ecrecover(hash, v, r, s) == owner, "Invalid");
allowance[owner][spender] = value;
// This permit can be executed weeks later when user doesn't expect it
}
// SAFE: Include deadline
function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external {
require(block.timestamp <= deadline, "Expired");
// ... rest of verification
}
```
## ecrecover Safety
### Edge Case 1: Returns address(0)
`ecrecover` returns `address(0)` for invalid signatures instead of reverting.
```solidity
// VULNERABLE: address(0) accepted as valid signer
address signer = ecrecover(hash, v, r, s);
require(signer == owner, "Invalid");
// If owner == address(0) AND signature is invalid → passes!
// SAFE: Explicit zero check
address signer = ecrecover(hash, v, r, s);
require(signer != address(0), "Invalid signature");
require(signer == owner, "Wrong signer");
// SAFEST: Use OpenZeppelin's ECDSA.recover() — reverts on address(0)
address signer = ECDSA.recover(hash, signature);
```
### Edge Case 2: Signature Malleability
For every valid ECDSA signature (r, s, v), there exists a second valid signature (r, s', v') for the same message. This allows anyone to create an alternate valid signature without the private key.
```solidity
// The Ethereum standard: s must be in the lower half of the curve
// s' = secp256k1n -Token-efficient smart contract security auditing via Behavioral State Analysis (BSA). Scopes analysis to contract type, runs only relevant threat engines, and uses tiered output depth. Use for auditing smart contracts, security reviews, or DeFi threat modeling.
Blue-team release-gate analysis for smart contract deployment and upgrade readiness. Classifies repositories, checks deploy/upgrade execution paths, CI/CD trust boundaries, config drift, secrets/signer operational security, and outputs evidence-backed release verdicts.
Detects Denial of Service and griefing vulnerabilities in smart contracts. Covers unbounded loop DoS, block gas limit exhaustion, external call failure DoS, insufficient gas griefing (63/64 rule), storage bloat attacks, timestamp griefing, self-destruct force-feeding, and push vs pull payment pattern analysis. Use when auditing contracts with batch operations, loops over user data, reward distribution, dividend systems, or any logic that depends on address(this).balance or iterates over growing collections.
Detects unsafe external call patterns and token integration vulnerabilities in smart contracts. Covers unchecked call/delegatecall/staticcall return values, fee-on-transfer tokens, rebasing tokens, tokens with missing return values (USDT), ERC-777 callback risks, unsafe approve race conditions, return data bombs, gas stipend limitations, and push vs pull payment patterns. Use when auditing contracts that interact with external contracts, integrate arbitrary ERC20 tokens, distribute payments, or make low-level calls.
Detects input validation failures and arithmetic vulnerabilities in smart contracts. Covers missing zero-address and zero-amount checks, division-before-multiplication precision loss, rounding direction exploitation, ERC4626 vault share inflation attacks, unsafe integer casting, dust amount exploitation, and Solidity 0.8+ unchecked block edge cases. Use when auditing contracts with fee calculations, share pricing, exchange rates, unchecked blocks, or any public-facing functions that accept user input.
Detects price oracle manipulation and flash loan attack vectors in DeFi smart contracts. Classifies oracle trust models (Chainlink, TWAP, spot price, custom), identifies stale price risks, circular price dependencies, and flash loan atomicity exploitation patterns. Use when auditing DeFi protocols that depend on price data, oracle integrations, lending protocols, DEXs, derivatives, or any contract where flash loans could manipulate state within a single transaction.
Detects vulnerabilities in upgradeable proxy smart contracts including storage layout collisions, uninitialized implementations, function selector clashing, delegatecall context issues, and upgrade path safety. Covers Transparent Proxy, UUPS (EIP-1822), Beacon, Diamond (EIP-2535), and Minimal Proxy (EIP-1167) patterns. Use when auditing upgradeable contracts, reviewing implementation upgrades, analyzing delegatecall architectures, or verifying proxy pattern compliance.
Systematically detects all reentrancy vulnerability variants in smart contracts — classic, cross-function, cross-contract, and read-only reentrancy. Builds call graphs, verifies CEI (Checks-Effects-Interactions) pattern compliance, traces state changes relative to external calls, and identifies callback vectors through ERC-777/ERC-1155 hooks. Use when auditing contracts that make external calls, transfer ETH or tokens, interact with callback-enabled standards, or have complex multi-contract architectures.