The signIn function checks if a message has been used via usedMessage[message] but does not mark the message as used after verification. This allows attackers to replay the same signed message multiple times, leading to duplicate events and potential exploitation if downstream systems rely on event uniqueness. For example, if each SignIn event grants rewards, users could claim rewards by replaying the same signature.
Add usedMessage[message] = true; after the signature verification to prevent replay attacks. This ensures each signed message can only be used once.
Line 22 – 42
