In ethsnarks/eddsa.py, there seems to be a missing check on the signature verification step for the param s. This param should be validated, e.g. that it is in the range 0<s<l where l is the order of the curve. Otherwise, an attacker may forge signatures from a known plaintext-signature pair by simply crafting a different s value that is still equal to the original modulo the order of the curve, for example by simply crafting s' = s + l where l is the order of the curve.
In ethsnarks/eddsa.py, there seems to be a missing check on the signature verification step for the param
s. This param should be validated, e.g. that it is in the range 0<s<l where l is the order of the curve. Otherwise, an attacker may forge signatures from a known plaintext-signature pair by simply crafting a differentsvalue that is still equal to the original modulo the order of the curve, for example by simply craftings' = s + lwhere l is the order of the curve.