Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | |||
|---|---|---|---|---|---|---|---|---|---|---|
| 082 | Frontend: wallet ownership signature verification is a no-op | medium | Web3 |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Frontend: wallet ownership signature verification is a no-op
Severity: medium Domain: Web3 Labels: security, frontend, wallet
Description
src/sections/account/account-wallet-connection.tsx:425 has a verifySignature stub that always passes. The frontend does not actually verify that the signature matches the claimed wallet address, meaning any wallet address can be submitted without proof of ownership.
Options
- Implement real client-side verification with
ethers.verifyMessage(message, signature) === wallet.addressas a UX pre-check, keep backend authoritative. - Remove the misleading
verifySignaturestub and rely solely on backend (document this). - Both: client pre-check and confirm backend enforcement exists.
Recommendation
Implement ethers.verifyMessage as a UX gate AND verify the backend enforces ownership. The stub is actively misleading.
Affected Files
frontend/src/sections/account/account-wallet-connection.tsx:425
References
- Full Codebase Audit 2026-05-30 — DEC-6