Severity:Informational
Difficulty: High
Type: Data Validation
Target: account/utils/signature.cairo
Description
When verifying a STARK/ETH signature, the corelib functions check_ecdsa_signature and recover_public_key are used. However both of these functions do not check the s value of the provided signature. As a result both (r,s) and (r,-s) are valid signatures for the same public key. Currently this is not exploitable because the signature validation is performed over the transaction hash, which is unique per transaction.
Signature verification allows for malleability
Severity:Informational Difficulty: High Type: Data Validation Target: account/utils/signature.cairo
Description
When verifying a STARK/ETH signature, the corelib functions
check_ecdsa_signatureandrecover_public_keyare used. However both of these functions do not check thesvalue of the provided signature. As a result both(r,s)and(r,-s)are valid signatures for the same public key. Currently this is not exploitable because the signature validation is performed over the transaction hash, which is unique per transaction.https://github.com/OpenZeppelin/cairo-contracts/blob/ef4128c61c6104852a1172e0e43e22fce1d33075/src/account/utils/signature.cairo#L11-L43
Recommendations
Short term, validate that the
svalue is positive, i.e. it is less thanCURVE_ORDER / 2.Long term, improve unit testing coverage to uncover edge cases like this and ensure intended behavior throughout the system.