Description
verifyQuizProof in src/stellar/signatures.ts:35-49 accepts (userAddress, quizId, score, hash, signature) but never reconstructs the hash from userAddress + quizId + score. It only verifies "this hash was signed by the platform key" — not "this hash corresponds to these specific arguments."
Additionally, createQuizProof includes timestamp: Date.now() (line 17), making each proof unique and non-reproducible for verification.
Impact
A proof for User A's quiz can be reused for User B. Proof verification is effectively meaningless.
File
src/stellar/signatures.ts:35-49 (verify)
src/stellar/signatures.ts:17 (create)
Suggested Fix
Reconstruct the expected hash from the provided arguments (userAddress, quizId, score) and verify it matches the provided hash before checking the signature. Remove or make the timestamp deterministic.
Description
verifyQuizProofinsrc/stellar/signatures.ts:35-49accepts(userAddress, quizId, score, hash, signature)but never reconstructs the hash fromuserAddress + quizId + score. It only verifies "this hash was signed by the platform key" — not "this hash corresponds to these specific arguments."Additionally,
createQuizProofincludestimestamp: Date.now()(line 17), making each proof unique and non-reproducible for verification.Impact
A proof for User A's quiz can be reused for User B. Proof verification is effectively meaningless.
File
src/stellar/signatures.ts:35-49(verify)src/stellar/signatures.ts:17(create)Suggested Fix
Reconstruct the expected hash from the provided arguments (userAddress, quizId, score) and verify it matches the provided hash before checking the signature. Remove or make the timestamp deterministic.