This document presents the results of a smart contract audit conducted by Côme du Crest for Gnosis.
The scope includes the contract SnapshotSigner.sol as of commit 083c33e.
The goal of the project is to allow for signing of snapshot vote data on chain. The signSnapshotVote(vote, domain) (or analogous) method is to be delegatecalled by a Safe. This in turn delegates to signMessageLib.signMessage(bytes) (SignMessageLib.sol) which stores the EIP712 encoded message for later verification via isValidSignature(hash, signature)(CompatibilityFallbackHandler.sol).
The vote types are defined by snapshot in snapshot.js/types.ts.
The audit has been sent to the developer team.
No serious issues have been discovered.
The contract does not allow for signing something other than a snapshot vote data.