Signature Malleability

This repository implements a simplified PoC that demonstrates how signature malleability attacks using compact signatures can be executed. The PoC showcases two interconnected issues:

A vulnerability with the OpenZeppelin 4.6 ECDSA library which is vulnerable to the signature malleability exploit. The vulnerability was patched in version 4.7.3. Also, see here for the published security advisory.
Signatures MUST NOT be used as unique identifiers, since the ecrecover precompile generally allows for malleable (non-unique) signatures (see EIP-2) or signatures can be malleablised using EIP-2098. The underlying issue in the ecrecover precompile stems from the fact that there are two y-coordinates for every x-coordinate on the elliptic curve. The OpenZeppelin ECDSA library prevents this particular malleability attack vector by reverting if the secp256k1 32-byte signature parameter s is too high.

Name		Name	Last commit message	Last commit date
Latest commit History 75 Commits
.github/workflows		.github/workflows
lib		lib
test		test
.gas-snapshot		.gas-snapshot
.gitignore		.gitignore
.gitmodules		.gitmodules
.prettierignore		.prettierignore
LICENSE		LICENSE
README.md		README.md
foundry.toml		foundry.toml
remappings.txt		remappings.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.github/workflows

.github/workflows

lib

lib

test

test

.gas-snapshot

.gas-snapshot

.gitignore

.gitignore

.gitmodules

.gitmodules

.prettierignore

.prettierignore

LICENSE

LICENSE

README.md

README.md

foundry.toml

foundry.toml

remappings.txt

remappings.txt

Repository files navigation

Signature Malleability

About

Releases

Packages

Contributors 2

Languages

License

pcaversaccio/malleable-signatures

Folders and files

Latest commit

History

Repository files navigation

Signature Malleability

About

Topics

Resources

License

Stars

Watchers

Forks

Languages