[HIGH] verifyQuizProof ignores 3 of 5 parameters — proof reusable across users

[DeFiVC]

Description

verifyQuizProof in src/stellar/signatures.ts:35-49 accepts (userAddress, quizId, score, hash, signature) but never reconstructs the hash from userAddress + quizId + score. It only verifies "this hash was signed by the platform key" — not "this hash corresponds to these specific arguments."

Additionally, createQuizProof includes timestamp: Date.now() (line 17), making each proof unique and non-reproducible for verification.

Impact

A proof for User A's quiz can be reused for User B. Proof verification is effectively meaningless.

File

src/stellar/signatures.ts:35-49 (verify)
src/stellar/signatures.ts:17 (create)

Suggested Fix

Reconstruct the expected hash from the provided arguments (userAddress, quizId, score) and verify it matches the provided hash before checking the signature. Remove or make the timestamp deterministic.

[Clement-coder]

Hello, I'm a Full Stack Blockchain, Mobile, and Software Engineer with experience building scalable applications, smart contracts, APIs, and modern user-focused products.

I've reviewed this issue and understand the requirements and expected outcome. My background allows me to quickly analyze problems, implement efficient solutions, and maintain high code quality throughout development. I'm confident in my ability to deliver a clean, well-tested, and maintainable solution, and I'd be excited to contribute to this project.

[Glam26]

I'd like to work on this issue.

I've reviewed the bug and agree that the current verification only proves the platform signed a hash, not that the hash corresponds to the supplied userAddress, quizId, and score. This allows proof replay across different users or quiz results.

My plan is to:

• Reconstruct the expected hash from userAddress + quizId + score during verification and compare it to the provided hash before signature validation.

• Remove the non-deterministic Date.now() component (or make it an explicit signed field if timestamps are required).

• Add regression tests covering:

  • Valid proof verification.
  • Replay attempts with a different user, quiz, or score.
  • Hash mismatch failures.
  • Signature tampering failures.

This will ensure proofs are deterministic, reproducible, and cryptographically bound to the quiz result they represent.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!

[grantfox-oss]

🦊 GrantFox — @Glam26 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #30)
2. Your PR will be reviewed by the ChainLearnOfficial maintainers

Good luck! Track your progress on GrantFox.