bin2chen
medium
_validateSigner() not add chainId to signature have re-use signature risk if There is a need for subsequent deployment in other chains.
_validateSigner() without chainId
function _validateSigner(
uint256 timestamp,
address asset,
uint256 price,
bytes memory signature
) internal view returns (bool) {
bytes32 digest = ECDSA.toEthSignedMessageHash(
keccak256(abi.encodePacked(timestamp, asset, price)) //***@audit without chainId***/
);
address recoveredSigner = ECDSA.recover(digest, signature);
return recoveredSigner == publisher;
}
cross-chain re-use signature risk
Manual Review
signature with chainid