Open vgulaev opened 2 days ago
In your analysis, did the private key become exposed publicly or otherwise?
Your question is not the answer for my question. We explore this lib as part of web3 for make Etherium transaction and during audit we try to identify your's security reasons for apply exactly this algorithm. From first sing we assume that it is the RFC 6979, and our next explore found that in 6979 should be the while loop section. So we still has question about reasons particular this way of generation K.
https://github.com/vapory-staging/eth-keys/blob/042aff9d3b6977ffafba1f3d57ea5c280c75254f/eth_keys/backends/native/ecdsa.py#L63
From this code look that on the same private key for same msg you got the same signature.
Look like security issue cause all transaction generated by this code has fixed relation between K, D and msg.
Can you explain why you don't use secure random?