What is an on-chain signature?

A cryptographic signed message created off-chain that authorizes an action or proves intent, which is verified on-chain to execute a transaction.

When should I use this checklist?

When auditing contracts that verify signatures or rely on signed messages, especially to catch rounding issues, replay, and malleability exploits.

What are common issues to look for?

Signature malleability, replay protection flaws, nonce management gaps, improper domain hashing, incorrect recovery id usage, and potential rounding-related arithmetic pitfalls in verification.

on-chain-signatures-checklist

Scanned

npx machina-cli add skill mnedelchev-vn/solidity-defi-claude-skills/on-chain-signatures-checklist --openclaw

Files (1)

SKILL.md

420 B

Rounding issues and exploits analysis

TODO

When to Use

TODO

When NOT to Use

TODO

Examples of issues with On-chain signatures

Case 1: TODO

Additional Analysis

Beyond the patterns above, apply your full security knowledge to identify any related issues not covered here for the topic of this particular skill.

Source

git clone https://github.com/mnedelchev-vn/solidity-defi-claude-skills/blob/master/skills/on-chain-signatures-checklist/SKILL.md

View on GitHub

Overview

This skill provides a structured framework to analyze on-chain signature flows, with emphasis on rounding issues and exploitation patterns. It helps auditors decide when to apply an on-chain signatures review and what issues to look for.

How This Skill Works

The checklist guides you through sections like When to Use and Examples of issues, then drives Additional Analysis to surface issues beyond common patterns. It stresses applying security expertise to identify signature-related risks in smart contracts and verifications on-chain.

When to Use It

Auditing a smart contract that accepts signed approvals or meta-transactions on-chain.
Reviewing a DeFi protocol that validates user actions via on-chain signatures.
Designing or auditing multi-signature wallets and nonce/replay protections.
Assessing on-chain signature flow in relayed or cross-chain messaging.
Investigating potential signature replay, rounding, or malleability issues in on-chain verification.

Quick Start

Step 1: Identify all on-chain signature verifications in the target contract.
Step 2: Review hashing, domain separation, and the signature recovery path for correctness.
Step 3: Apply best practices and run tests to catch rounding, replay, and malleability issues.

Best Practices

Use standard signature schemes (ECDSA/Secp256k1) with explicit domain separation and clear hashing.
Validate message hashing end-to-end and implement robust nonce/replay protections.
Check for signature malleability (s-value normalization, proper v handling) and avoid malleable recoveries.
Keep signature verification logic isolated in small, auditable functions with minimal state.
Create regression tests with known edge cases (and fuzzing) to catch rounding and arithmetic-related issues.

Example Use Cases

A meta-transaction system where users sign actions that relayers submit on-chain.
A permit-style function where on-chain verification controls token transfers.
Governance contracts validating proposals via on-chain signatures from token holders.
Relayer-based bridges that require signed attestations to authorize message relays.
Cross-chain messaging patterns that verify on-chain signatures to ensure message integrity.

Frequently Asked Questions

Add this skill to your agents