Crypto Training
Signing Infrastructure Threat Model: Why Correct Crypto Still Loses Funds
Most major losses now happen above the cryptographic primitive layer. This post maps where signing pipelines fail and how to harden them end-to-end.
Crypto Training•2025-12-31•2 min read
ECDSA and BLS can be mathematically correct while a protocol still signs malicious payloads.
The issue is usually the pipeline around signing.
flowchart LR
U[Operator intent] --> UI[Web UI / wallet UI]
UI --> T[Typed data construction]
T --> D[Device display]
D --> S[Signature output]
S --> C[On-chain execution]
X[Compromise at any stage] --> C
Failure layers#
| Layer | Typical compromise | Why key custody is not enough |
|---|---|---|
| UI bundle/CDN | payload substitution | device signs what it receives |
| Typed-data builder | wrong domain or fields | signature still verifies |
| Multi-sig orchestration | signers approve same wrong payload | threshold confirms attacker intent |
| Incident response | no timelock or guardrails | no time to cancel |
EIP-712 must be complete, not partial#
bytes32 constant TYPEHASH = keccak256(
"Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
);
function hashPermit(
address owner,
address spender,
uint256 value,
uint256 nonce,
uint256 deadline
) internal pure returns (bytes32) {
return keccak256(abi.encode(TYPEHASH, owner, spender, value, nonce, deadline));
}
Missing any binding field (chain id, verifying contract, owner, nonce, deadline) widens replay or phishing space.
End-to-end signing hardening#
flowchart TD
A[Source-controlled tx templates] --> B[Deterministic typed-data build]
B --> C[Out-of-band payload diff]
C --> D[Hardware clear-sign display validation]
D --> E[Timelocked execution queue]
E --> F[Runtime monitors and kill-switch]
Controls with highest risk reduction#
- Out-of-band payload verification before final signing.
- Timelock for privileged ops (ownership transfer, upgrades, parameter jumps).
- Signer environment isolation (dedicated machines, restricted browser profile).
- Signature simulation gate for high-value ops.
Operational drills#
- Can your team revoke compromised signer routes within minutes?
- Can you halt privileged execution without halting user exits?
- Do you have deterministic logs tying signer intent to final calldata?
Audit checklist for signing paths#
- Domain separator includes current chain id and contract address.
- Nonce progression cannot be bypassed by alternate code paths.
- Deadlines are mandatory for privileged signatures.
- Zero-address recoveries are rejected.
- Signature parsing handles compact forms safely.