Siwe Authentication
SIWE implementations that verify signature + nonce + chainId but omit `domain` / `uri.host` validation are vulnerable to cross-origin phishing replay — an attacker fetches a real nonce, phishes a victim into signing for an attacker-controlled origin, then replays the signature to the real service to bind attacker-controlled state to the victim's Web3 identity.
siweeip-4361authenticationweb3+4
9595DDBMay 13, 2026
62 uses0/090%