fix: Blind-signing bypass in EIP-712 FULL filtering activation

Cerberus Merlin · Cerberus Merlin · commit f132072331e5 · 2026-04-09T15:00:47.000Z
diff --git a/src/features/sign_message_eip712/commands_712.c b/src/features/sign_message_eip712/commands_712.c
@@ -291,7 +291,7 @@ uint16_t handle_eip712_sign(const uint8_t *cdata, uint8_t length, uint32_t *flag
              (path_get_field() != NULL)) {
         apdu_response_code = SWO_INCORRECT_DATA;
     } else if ((ui_712_get_filtering_mode() == EIP712_FILTERING_FULL) &&
-               (ui_712_remaining_filters() != 0)) {
+               (!ui_712_message_info_received() || (ui_712_remaining_filters() != 0))) {
         PRINTF("%d EIP712 filters are missing\n", ui_712_remaining_filters());
         apdu_response_code = SWO_REFERENCED_DATA_NOT_FOUND;
     } else if (!all_calldata_info_processed() || (get_tx_ctx_count() != 0)) {
diff --git a/src/features/sign_message_eip712/ui_logic.c b/src/features/sign_message_eip712/ui_logic.c
@@ -63,6 +63,7 @@ typedef struct {
     bool end_reached;
     e_eip712_filtering_mode filtering_mode;
     uint8_t filters_to_process;
+    bool message_info_received;
     uint8_t field_flags;
     uint8_t structs_to_review;
     s_amount_context amount;
@@ -1171,6 +1172,7 @@ e_eip712_filtering_mode ui_712_get_filtering_mode(void) {
  */
 void ui_712_set_filters_count(uint8_t count) {
     ui_ctx->filters_to_process = count;
+    ui_ctx->message_info_received = true;
 }
 
 /**
@@ -1182,6 +1184,10 @@ uint8_t ui_712_remaining_filters(void) {
     return ui_ctx->filters_to_process - flist_size((flist_node_t **) &ui_ctx->filters_crc);
 }
 
+bool ui_712_message_info_received(void) {
+    return ui_ctx->message_info_received;
+}
+
 /**
  * Reset all the UI struct field flags
  */
diff --git a/src/features/sign_message_eip712/ui_logic.h b/src/features/sign_message_eip712/ui_logic.h
@@ -91,6 +91,7 @@ void ui_712_set_filtering_mode(e_eip712_filtering_mode mode);
 e_eip712_filtering_mode ui_712_get_filtering_mode(void);
 void ui_712_set_filters_count(uint8_t count);
 uint8_t ui_712_remaining_filters(void);
+bool ui_712_message_info_received(void);
 void ui_712_queue_struct_to_review(void);
 void ui_712_token_join_prepare_addr_check(uint8_t index);
 bool ui_712_token_join_prepare_amount(uint8_t index, const char *name, uint8_t name_length);
