OpenZeppelin completed a diff-audit of the Open Intents Framework (OIF) contracts between commits 222989b and 5323b1b, identifying 6 issues (1 medium, 4 low, 1 informational). The medium-severity finding involves a solver identifier encoding mismatch: the `purchasedOrders` mapping uses the full `bytes32` solver identifier, while signature verification discards upper 96 bits, allowing a malicious solver to reuse a signature with different encodings and steal buyer's discount payments. Other fixes include Hyperlane Oracle chain ID mapping, Permit2 witness type update, InputSettlerCompact order status tracking, output oracle cleanness check, and FillerDataLib length validation. All findings have been resolved at commit b260675.

Key facts

• Medium-severity: solver identifier mismatch allows signature reuse across different bytes32 encodings.
• HyperlaneOracleMapped adds canonical chain ID mapping for cross-chain attestations.
• Permit2 witness now binds order.user to prevent signature reuse.
• InputSettlerCompact adds OrderStatus to prevent replay claims.
• All 6 issues resolved; code updated to commit b260675.