Description
In the SignatureReplay example contract,The victims v,r,svalues can be reused multiple times in the withdrawBySig() function.However, the funds in the contract ultimately go to the legitimate signer (the victim), and the attacker does not gain any financial benefit from calling withdrawBySig() function with the victim’s v, r, s values. The attacker ends up losing money by paying the gas fees for the transaction, while the signer benefits because they can withdraw their funds without paying gas fees in the future.
here is the logs from the modified test_signatureReplay() function
[PASS] test_signatureReplay() (gas: 1342404)
Logs:
attacker balance: 0
victim balance: 100000000000000000000
victim balance in the contract: 0
The attacker does not steal any funds from the victim, and the victim’s balance returns to the original amount (i.e., 100 ether).
I believe this example would be more effective if adjustments were made to the contract to demonstrate a scenario where the victim actually loses money to the attacker. This would help students better understand the concept and risks of replay attacks.
Thank you for the content patrick and team❤️