search

radixdlt / radixdlt-scrypto

Scrypto is the asset-oriented smart contract programming language of the Radix network. It allows you to quickly build secure and composable dApps.
https://developers.radixdlt.com/
Other
401 stars 118 forks source link

Security audit of ed25519-dalek #1835

Open Kansuler opened 1 week ago

Kansuler commented 1 week ago

There seem to be two security issues that are patched in future versions of ed25519-dalek and sub dependency curve25519-dalek.

The list of issues due to ed25519-dalek@1.0.1 are

The issues are resolved in the latest version of ed25519-dalek@2.1.1.

dhedey commented 6 days ago

Many thanks @Kansuler for the report.

We have previously investigated RUSTSEC-2022-0093 and confirmed that the usage of ed25519-dalek@1.0.1 in code was not a problem for this issue. More specifically, we wrap the private keys in Ed25519PrivateKey which ensures that the secret and public properties of KeyPair are aligned, so the oracle attack is not possible.

We will need to investigate RUSTSEC-2024-0344, but it looks likely the code is affected, and we will look into fixing this.

Whilst we generally advise that integrators use their own signing libraries, we appreciate that some may choose to use those built into the engine test framework, so will look at whether we can update to offset the risk of timing attacks.