Sig.Network

We express our gratitude to the Sig.Network team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Chain signatures is an MPC service that facilitates the ability to sign arbitrary payloads by calling into a smart contract and eventually getting back a signature. This signature can be used for various purposes such as deriving new public keys associated to foreign chains (Ethereum, Bitcoin, etc.).

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are detailed.

• • Project overview is detailed

  • All roles in the system are described.

  • Use cases are described and detailed.

  • For each contract, all futures are described.

  • All interactions are described.

• Technical description is detailed.

• • Run instructions are provided.

  • Technical specification is provided.

  • The NatSpec documentation is sufficient.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is 58.33% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• Negative cases coverage is missed.

Chain Signatures is an MPC service that enables users to request and receive cryptographic signatures for arbitrary payloads on-chain. The protocol leverages secp256k1 elliptic curve cryptography to facilitate secure, decentralized signing operations, supporting key derivation and signature verification across multiple blockchain networks.

Files in Scope

• ChainSignatures.sol - Manages the full lifecycle of signature requests, from submission to response validation.

Key Features

Initialization

• The contract is initialized with an MPC-controlled account (_mpc_network) that has administrative privileges.

• A configurable deposit amount (signatureDeposit) is required for submitting signing requests, preventing spam and ensuring commitment.

Request Handling

• Users submit signing requests with payload details, a specified key version, and a required deposit.

• The contract emits a SignatureRequested event containing the payload, derivation path, algorithm, destination, and additional parameters.

• Requests are linked to the sender’s address and the current blockchain (chainId).

Signature Response

• Responses are submitted off-chain and later broadcast to the network.

• Upon receiving a signature response, the contract emits a SignatureResponded event containing the request ID and the provided signature.

• In case of an error, responders can emit a SignatureError event with an associated error message.

Financial Safeguards

• Deposits ensure financial commitment from requesters and can be adjusted by the MPC-controlled account.

• An administrative role allows withdrawals from the contract’s balance to prevent fund accumulation.

Key Changes

Several functionalities were removed during the remediation phase of the audit. Public key management and key derivation functions are no longer included, along with epsilon derivation. The system no longer tracks signature requests, checks for duplicate requests, or validates payload limits. Signature verification using ecrecover() has been removed, as well as the deposit refund mechanism and dynamic deposit calculation.

Privileged Roles

Chain Signatures employs role-based access control through OpenZeppelin’s AccessControl:

Administrative Control

• The _mpc_network is granted the DEFAULT_ADMIN_ROLE, allowing it to:

• • Adjust the signatureDeposit amount.

  • Withdraw contract funds.

User-driven Interactions

• Signing requests and responses are open to all users, ensuring decentralized operation.

• Signature validity must be verified off-chain before usage, as the contract does not enforce cryptographic checks internally.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope