Description

In the PasskeyRegistryModule, both the isValidSignature() and isValidSignatureUnsafe() functions have the same code. They both call isValidSignatureForAddress(), which will add the "\x19Ethereum Signed Message:\n52" prefix to the data hash and smart account address prior to hashing it and then verifying the signature against it.

This seems to be a copy-paste error, as in the EcdsaOwnershipRegistryModule, the isValidSignatureUnsafe() function calls isValidSignatureForAddressUnsafe(), which does not perform the same prefixing plus hashing.

Impact

The isValidSignatureUnsafe() function is currently redundant, as it does the same thing as the isValidSignature() function. This does not affect any core functionality of the module, and thus it is an Informational finding.

Recommendations

Consider porting over the isValidSignatureForAddressUnsafe() function from EcdsaOwnershipRegistryModule, and then having isValidSignatureUnsafe() call this function instead.

Remediation

This issue has been acknowledged by Biconomy Labs, and a fix was implemented in commit 34a75fa2↗.