diff --git a/src/controllers/sign.controller.ts b/src/controllers/sign.controller.ts
index c4428fa..749c338 100644
--- a/src/controllers/sign.controller.ts
+++ b/src/controllers/sign.controller.ts
@@ -12,6 +12,7 @@ import { aesDecrypt } from 'zutils/utils/security.util'
 import { base58ToHex } from 'zutils/utils/string.util'
 import { ActivityGame } from 'models/ActivityGame'
 import { SCORE_INVITE_USER, SCORE_SOCIAL_TASK } from 'common/Constants'
+import { isObjectIdString } from 'common/Utils'
 
 const LOGIN_TIP = 'This signature is just to verify your identity'
 
@@ -60,6 +61,9 @@ class SignController extends BaseController {
         nonce = nonceStr
       }
     }
+    if (!isObjectIdString(nonce)) {
+      throw new ZError(11, 'nonce invalid')
+    }
     let record = await NonceRecord.findById(nonce)
     if (!record || record.status !== 0) {
       throw new ZError(12, 'nonce invalid')