Auth Service Nonce Cache Bypass Exposes Wallet Authentication to Replay Attacks

A critical security vulnerability has been identified in the authentication service at `backend/src/auth/auth.service.ts`, where nonce caching—the mechanism designed to prevent replay attacks—has been intentionally disabled. The code at lines 85-90 contains a temporary bypass that replaces the proper cache lookup with a direct pass-through: `const storedNonce = nonce;` A comment in the codebase states the bypass was introduced "for testing" but remains active in production code.

The verifySignature() method now accepts any nonce presented by a client without validation against previously used values. This means an attacker who intercepts a valid wallet signature can replay that same signature indefinitely. The nonce, which should be a single-use cryptographic token tied to session initialization, no longer expires or gets invalidated after use. Authentication attempts using compromised credentials remain valid permanently, creating a pathway for session hijacking without any time constraint.

The implications extend across any system relying on this authentication layer for wallet-based signature verification. Financial applications, decentralized platforms, and any service using cryptographic wallet authentication face elevated risk of unauthorized access. Security best practices require nonces to expire after a single use with a defined time window, neither of which this implementation enforces. The bypass was introduced as a testing measure but has not been reverted, suggesting either oversight in code review or a gap in deployment verification processes.