No signature re-verification before settlement

[a6b8]

Classification

• Security hardening

Problem

settleTransaction() (line 542-611) does not re-verify the signature before the sendTransaction() call. It trusts that validatePaymentSignatureRequestPayload() ran previously.

Affected Files

• src/v2/exact/evm/ServerExact.mjs lines 542-611

Expected vs Actual

• Expected: Signature is re-verified immediately before funds transfer
• Actual: Settlement blindly trusts prior validation

Recommendation

Add signature check directly in settleTransaction() before sendTransaction(). Defense-in-depth principle.

Severity

MEDIUM