F-2026-0015·wallet-ux-opacity

EIP-191 personal-sign instead of EIP-712 typed data reduces wallet transparency

Fixedvaultleveragedprediction-marketgithub.com/bloom-art/dripster-lend
TL;DR

Pre-audit, SignatureLib used EIP-191 toEthSignedMessageHash with packed encoding, displaying an opaque hash in user wallets rather than human-readable structured data. Migrated to EIP-712 typed data before the manual audit began.

Severity
INFO
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

At the time of the Krait pre-audit (commit 5eae950, 2026-04-07), SignatureLib used EIP-191 (toEthSignedMessageHash) with custom packed encoding and inline assembly. While functionally secure (chainid() and address(this) were already included for replay protection), EIP-191 displays an opaque hash in user wallets rather than human-readable structured data, and prevents users from verifying what they are signing.

03Section · Recommendation

Recommendation

Migrate signature verification to EIP-712 typed data. Both CreatePosition and FinalizeSettle payloads have well-defined structured fields suitable for EIP712Domain plus struct-hash encoding.

04Section · Resolution

Resolution

Fixed. SignatureLib migrated to EIP-712 typed data before the manual audit began.

Status
Fixed
ZEALYNX SECURITY · published 2026-04-28
F-2026-0015

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx