It is possible to pass Signature Validity check with an SignatureDecoder.recoverKey() returns 0 whenever the builder and /or contractor have an existing approved hash for a data.
Mitigation:
There should be a require check for _recoveredSignature != 0 in checkSignatureValidity().