When calling recoverPubKey with an invalid s (i.e. 0), it returns a public key. The same signature fails with verify, as 1 >= s >= n-1. This doesn't immediately sound like a vulnerability, except there exist libraries depending on elliptic which assume signature validity provided the output of recoverPubKey.
When calling
recoverPubKeywith an invalids(i.e.0), it returns a public key. The same signature fails withverify, as1 >= s >= n-1. This doesn't immediately sound like a vulnerability, except there exist libraries depending on elliptic which assume signature validity provided the output ofrecoverPubKey.