When calling recoverPubKey with an invalid s (i.e. 0), it returns a public key. The same signature fails with verify, as 1 >= s >= n-1. This doesn't immediately sound like a vulnerability, except there exist libraries depending on elliptic which assume signature validity provided the output of recoverPubKey.
When calling
recoverPubKey
with an invalids
(i.e.0
), it returns a public key. The same signature fails withverify
, as1 >= s >= n-1
. This doesn't immediately sound like a vulnerability, except there exist libraries depending on elliptic which assume signature validity provided the output ofrecoverPubKey
.