--- issue: 082 title: "Frontend: wallet ownership signature verification is a no-op" severity: medium domain: Web3 labels: [security, frontend, wallet] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: wallet ownership signature verification is a no-op **Severity:** medium **Domain:** Web3 **Labels:** security, frontend, wallet ## Description `src/sections/account/account-wallet-connection.tsx:425` has a `verifySignature` stub that always passes. The frontend does not actually verify that the signature matches the claimed wallet address, meaning any wallet address can be submitted without proof of ownership. ## Options 1. Implement real client-side verification with `ethers.verifyMessage(message, signature) === wallet.address` as a UX pre-check, keep backend authoritative. 2. Remove the misleading `verifySignature` stub and rely solely on backend (document this). 3. Both: client pre-check and confirm backend enforcement exists. ## Recommendation Implement `ethers.verifyMessage` as a UX gate AND verify the backend enforces ownership. The stub is actively misleading. ## Affected Files - `frontend/src/sections/account/account-wallet-connection.tsx:425` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-6