OpenZeppelin completed a focused diff audit of AuthRegistry's signature-verification changes in the sunnyside-io/privacy-boost-backend repository. The review covered commits implementing opaque bytes signatures, EIP-1271 verification, and ERC-7739 appendix-aware fallback for the owner authorization path. The system manages BabyJubJub authentication public keys for PrivacyBoost accounts, with owner signatures authorizing registry-management actions like register, rotate, and revoke. No Critical, High, or Medium severity issues were identified. Three low-severity findings were resolved: fallback verification failures collapsing into a single error, an ERC-7739 fallback parser assuming a 65-byte inner signature, and dual contentsHash encodings accepted for the same authorization. Additionally, one informational note was raised and resolved regarding the ERC-7739 appendix parser only supporting implicit-mode contents descriptions. The audit confirms the design is secure, preserving compatibility with EOAs and ERC-1271 wallets while extending support to Startale and Solady-derived wallets requiring wrapped digest verification.

Key facts

• OpenZeppelin audited AuthRegistry signature changes; no critical or high issues found.
• Three low-severity findings resolved: error granularity, inner signature length, dual encodings.
• System manages BabyJubJub keys for PrivacyBoost accounts via owner EIP-712 signatures.
• ERC-7739 fallback supports Startale and Solady wallets with wrapped digest verification.
• All findings and informational note resolved in subsequent commits.