keyring->pair->vrfVerify: possibly the wrong public key is used if the pair type is sr25519

polkadot-js / common

Utilities and base libraries for use across polkadot-js for Polkadot and Substrate. Includes base libraries, crypto helpers and cross-environment helpers.

Apache License 2.0

253 stars 144 forks source link

I'm submitting a bug
- [x] Bug report
What is the current behavior and expected behavior?

Vrf signature should be checked agains remote public key (passed as signerPublic parameter). But if the pair type is sr25519 then the current pair publicKey is possibly misused for validation.

https://github.com/polkadot-js/common/blob/6971012f4af62f453ba25d83d0ebbfd12eaf5709/packages/keyring/src/pair/index.ts#L211

Please tell us about your environment:
- Version: 12.6.2
- Environment:
- [x] Node.js
- [x] Browser
- [x] Other (limited support for other environments)
- Language:
- [x] JavaScript
- [x] TypeScript (include tsc --version)

polkadot-js / common

keyring->pair->vrfVerify: possibly the wrong public key is used if the pair type is sr25519 #1906