One Signature, Multiple Payments: Demystifying and Detecting Signature Replay Vulnerabilities in Smart Contracts
Zexu Wang, Jiachi Chen, Zewei Lin, Wenqing Chen, Kaiwen Ning, Jianxing Yu, Yuming Feng, Yu Zhang, Weizhe Zhang, Zibin Zheng
TL;DR
This work tackles Signature Replay Vulnerabilities (SRVs) in smart contracts, where signatures are reused due to weak usage checks. It first conducts the inaugural empirical study of SRVs by analyzing 1,419 audit reports to define five SRV types and then introduces LASiR, a system that couples LLM-assisted static taint analysis with symbolic execution to detect SRVs across large codebases. Evaluations on nearly a million contracts across four chains show SRVs affect $4.76$ million in assets, with Ethereum showing notable prevalence; LASiR achieves a high recall ($>0.95$) and precision (~$0.82$), outperforming baselines and illustrating the value of integrating semantic reasoning with formal verification. The findings underscore the practical impact of SRVs and demonstrate that LLM-guided analysis can significantly enhance automated vulnerability detection in smart contracts, with open-source tooling and datasets to support future research.
Abstract
Smart contracts have significantly advanced blockchain technology, and digital signatures are crucial for reliable verification of contract authority. Through signature verification, smart contracts can ensure that signers possess the required permissions, thus enhancing security and scalability. However, lacking checks on signature usage conditions can lead to repeated verifications, increasing the risk of permission abuse and threatening contract assets. We define this issue as the Signature Replay Vulnerability (SRV). In this paper, we conducted the first empirical study to investigate the causes and characteristics of the SRVs. From 1,419 audit reports across 37 blockchain security companies, we identified 108 with detailed SRV descriptions and classified five types of SRVs. To detect these vulnerabilities automatically, we designed LASiR, which utilizes the general semantic understanding ability of Large Language Models (LLMs) to assist in the static taint analysis of the signature state and identify the signature reuse behavior. It also employs path reachability verification via symbolic execution to ensure effective and reliable detection. To evaluate the performance of LASiR, we conducted large-scale experiments on 15,383 contracts involving signature verification, selected from the initial dataset of 918,964 contracts across four blockchains: Ethereum, Binance Smart Chain, Polygon, and Arbitrum. The results indicate that SRVs are widespread, with affected contracts holding $4.76 million in active assets. Among these, 19.63% of contracts that use signatures on Ethereum contain SRVs. Furthermore, manual verification demonstrates that LASiR achieves an F1-score of 87.90% for detection. Ablation studies and comparative experiments reveal that the semantic information provided by LLMs aids static taint analysis, significantly enhancing LASiR's detection performance.