From d8f2c11a38066147eb22f377728161c22cceac96 Mon Sep 17 00:00:00 2001
From: Truphile <salidmonreal@gmail.com>
Date: Thu, 25 Jun 2026 14:22:37 -0400
Subject: [PATCH] fix: secure verifyQuizProof to check hash against parameters

---
 src/stellar/signatures.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/stellar/signatures.ts b/src/stellar/signatures.ts
index 36b8702..18df0df 100644
--- a/src/stellar/signatures.ts
+++ b/src/stellar/signatures.ts
@@ -14,7 +14,7 @@ export function createQuizProof(
   score: number
 ): { hash: string; signature: string } {
   const payload = Buffer.from(
-    JSON.stringify({ userAddress, quizId, score, timestamp: Date.now() })
+    JSON.stringify({ userAddress, quizId, score })
   );
 
   const hash = crypto.createHash("sha256").update(payload).digest();
@@ -40,6 +40,16 @@ export function verifyQuizProof(
   signature: string
 ): boolean {
   try {
+    const expectedPayload = Buffer.from(
+      JSON.stringify({ userAddress, quizId, score })
+    );
+    const expectedHash = crypto.createHash("sha256").update(expectedPayload).digest("hex");
+
+    if (hash !== expectedHash) {
+      logger.warn({ quizId, provided: hash, expected: expectedHash }, "Quiz proof hash mismatch");
+      return false;
+    }
+
     const keypair = getPlatformKeypair();
     const hashBuffer = Buffer.from(hash, "hex");
     return keypair.verify(hashBuffer, Buffer.from(signature, "base64"));