Low Findings
Signature Replay
Severity: Low
Ecosystem: Sui
Protocol: Drife Technologies
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Dec 2023
Code Snippet: N/A
Description:
In several functions, a signature is used to authorize and validate an action that permits users to execute specific operations only if authorized by the off-chain authority. However, in the current implementation of the signature mechanism, the same signed operation may be submitted and processed multiple times. Thus, if a malicious actor captures a valid signed transaction, they may utilize that to successfully execute that particular action repeatedly. This executes the same operation multiple times without any further demand for authentication.
Possibility of Signature Reuse
Severity: Low
Ecosystem: Sui
Protocol: Aftermath Orderbook
Auditor: OtterSec
Report:
https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772
Report Date: Feb 2024
Code: N/A
Description: There is a risk of cryptographic signature reuse in placing stop orders within clearing_house. Cryptographic signatures rely on a blend of order-specific details and a distinct random value termed salt, introducing unpredictability. Nonetheless, if the same salt is unintentionally or intentionally used again for generating signatures for diverse stop orders, it allows an observer to detect patterns and extract information about a user’s specific stop orders, potentially compromising their privacy.
claim_boosterpack() data signature isn’t typed
Severity: Low
Ecosystem: Sui
Protocol: Claynosaurz
Auditor: Certora
Report: https://github.com/Certora/SecurityReports/blob/main/Reports/2025/04_18_2025_Claynosaurz_NFT.pdf
Report Date: Apr 2025
Description:
The claim_boosterpack() function receives signed data (bytes and signature) that contains information about the boosterpack to be claimed. The signature isn’t ‘typed’ (like in EIP-712), this might allow an attacker to re-use data that was signed from the same address for other purposes (e.g. signing a Sui tx).