Last updated: February 06, 2026

SCWE-131: Missing Domain Separation in Aggregate Signatures

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-347: Improper Verification of Cryptographic Signature
  https://cwe.mitre.org/data/definitions/347.html

Description

BLS/aggregate signature schemes that omit domain separation (e.g., chain id, contract, purpose) allow signature replay across domains. A valid signature for one network or message type can be reused elsewhere to authorize unintended actions.

Remediation

• Include explicit domain separation tags in the signed message for every aggregate signature.
• Verify domains on-chain and reject signatures from unknown domains.
• Use well-reviewed libraries and EIP-712 style typed data for aggregate schemes.

Examples

Vulnerable

bytes32 message = keccak256(abi.encode(data)); // no domain tag

Fixed

bytes32 message = keccak256(abi.encode(DOMAIN_SEPARATOR, keccak256(data)));