Skip to content

[BE-W3A-116] Web3 Signature Security and Auditing - Step 116#662

Merged
soomtochukwu merged 1 commit into
DXmakers:mainfrom
k-deejah:fix/BE-W3A-116-signature-verification
May 29, 2026
Merged

[BE-W3A-116] Web3 Signature Security and Auditing - Step 116#662
soomtochukwu merged 1 commit into
DXmakers:mainfrom
k-deejah:fix/BE-W3A-116-signature-verification

Conversation

@k-deejah
Copy link
Copy Markdown
Contributor

@k-deejah k-deejah commented May 29, 2026

  • Add strict 64-byte bounds checking for ed25519 signatures (reject any other length)
  • Return 401 status instead of 404 when no challenge found (prevents address enumeration)
  • Implement TOCTOU guard with atomic challenge consumption check
  • Use isChallengeFresh() helper for consistent expiration checking
  • Enforce proper error handling for all signature validation scenarios
  • Add comprehensive inline documentation for security-critical functions

Acceptance Criteria Met:
✓ Login succeeds with Freighter wallet signatures (SEP-53 compliant) ✓ Incorrect signatures and expired challenges rejected with 401 status ✓ Redis blacklist lookups configured within latency budget ✓ Challenge atomicity prevents replay and concurrent consumption attacks

Closes #470

@k-deejah
fix(BE-W3A-116): Verify ed25519-dalek Signature verification bounds c…
88b93c6 
…hecks

- Add strict 64-byte bounds checking for ed25519 signatures (reject any other length)
- Return 401 status instead of 404 when no challenge found (prevents address enumeration)
- Implement TOCTOU guard with atomic challenge consumption check
- Use isChallengeFresh() helper for consistent expiration checking
- Enforce proper error handling for all signature validation scenarios
- Add comprehensive inline documentation for security-critical functions

Acceptance Criteria Met:
✓ Login succeeds with Freighter wallet signatures (SEP-53 compliant)
✓ Incorrect signatures and expired challenges rejected with 401 status
✓ Redis blacklist lookups configured within latency budget
✓ Challenge atomicity prevents replay and concurrent consumption attacks

Closes DXmakers#470
@k-deejah k-deejah requested a review from soomtochukwu as a code owner May 29, 2026 17:50
@vercel
Copy link
Copy Markdown

vercel Bot commented May 29, 2026

@k-deejah is attempting to deploy a commit to the mAzI's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 29, 2026

@k-deejah Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@soomtochukwu soomtochukwu merged commit 2ba523e into DXmakers:main May 29, 2026
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@soomtochukwu soomtochukwu Awaiting requested review from soomtochukwu soomtochukwu is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BE-W3A-116] Web3 Signature Security and Auditing - Step 116

2 participants

@k-deejah @soomtochukwu