Files
nick-doc/Issues/ISSUE-082-frontend-wallet-ownership-signature-verification-is-a-no-op.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.3 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
082 Frontend: wallet ownership signature verification is a no-op medium Web3
security
frontend
wallet
open 2026-05-30 Full Codebase Audit 2026-05-30

Frontend: wallet ownership signature verification is a no-op

Severity: medium Domain: Web3 Labels: security, frontend, wallet

Description

src/sections/account/account-wallet-connection.tsx:425 has a verifySignature stub that always passes. The frontend does not actually verify that the signature matches the claimed wallet address, meaning any wallet address can be submitted without proof of ownership.

Options

  1. Implement real client-side verification with ethers.verifyMessage(message, signature) === wallet.address as a UX pre-check, keep backend authoritative.
  2. Remove the misleading verifySignature stub and rely solely on backend (document this).
  3. Both: client pre-check and confirm backend enforcement exists.

Recommendation

Implement ethers.verifyMessage as a UX gate AND verify the backend enforces ownership. The stub is actively misleading.

Affected Files

  • frontend/src/sections/account/account-wallet-connection.tsx:425

References