Severity:Informational
Difficulty: High
Type: Data Validation
Target: account/utils/signature.cairo
Description
When verifying a STARK/ETH signature, the corelib functions check_ecdsa_signature and recover_public_key are used. However both of these functions do not check the s value of the provided signature. As a result both (r,s) and (r,-s) are valid signatures for the same public key. Currently this is not exploitable because the signature validation is performed over the transaction hash, which is unique per transaction.
Signature verification allows for malleability
Severity:Informational Difficulty: High Type: Data Validation Target: account/utils/signature.cairo
Description
When verifying a STARK/ETH signature, the corelib functions
check_ecdsa_signature
andrecover_public_key
are used. However both of these functions do not check thes
value of the provided signature. As a result both(r,s)
and(r,-s)
are valid signatures for the same public key. Currently this is not exploitable because the signature validation is performed over the transaction hash, which is unique per transaction.https://github.com/OpenZeppelin/cairo-contracts/blob/ef4128c61c6104852a1172e0e43e22fce1d33075/src/account/utils/signature.cairo#L11-L43
Recommendations
Short term, validate that the
s
value is positive, i.e. it is less thanCURVE_ORDER / 2
.Long term, improve unit testing coverage to uncover edge cases like this and ensure intended behavior throughout the system.