security_review/audit/topics/signature_payload_binding.md
664 bytes
# SpaceCash Security Review Topic: signature_payload_binding
- Severity if failed: `critical`
- Status: `not_reviewed`
- Reviewer:
- Reviewed at:
## Required Questions
- [ ] Can a valid signature be replayed on another chain id, action, amount, recipient, or product id?
- [ ] Can malformed JWK or signature encodings bypass verification?
## Expected Controls
- canonical JSON
- chain_id binding
- payload version
- address-derived public key
## Evidence Collected
- Source files reviewed:
- Commands/tests run:
- Artifacts reviewed:
## Findings
- None recorded yet.
## Closure Notes
- Decision: `not_reviewed`
- Notes: