pcaversaccio/malleable-signatures

Stars
103
Rank 323,280 (Top 7 %)
Language
Solidity
License
Do What The F*ck ...
Created 12 months ago
Updated 3 months ago

pcaversaccio/malleable-signatures

pcaversaccio

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

This repository implements a simplified PoC that demonstrates how signature malleability attacks using compact signatures can be executed.

Signature Malleability

This repository implements a simplified PoC that demonstrates how signature malleability attacks using compact signatures can be executed. The PoC showcases two interconnected issues:

A vulnerability with the OpenZeppelin 4.6 ECDSA library which is vulnerable to the signature malleability exploit. The vulnerability was patched in version 4.7.3. Also, see here for the published security advisory.
Signatures MUST NOT be used as unique identifiers, since the ecrecover precompile generally allows for malleable (non-unique) signatures (see EIP-2) or signatures can be malleablised using EIP-2098. The underlying issue in the ecrecover precompile stems from the fact that there are two y-coordinates for every x-coordinate on the elliptic curve. The OpenZeppelin ECDSA library prevents this particular malleability attack vector by reverting if the secp256k1 32-byte signature parameter s is too high.

reentrancy-attacks

A chronological and (hopefully) complete list of reentrancy attacks to date.

snekmate

State-of-the-art, highly opinionated, hyper-optimised, and secure 🐍Vyper smart contract building blocks.

xdeployer

Hardhat plugin to deploy your smart contracts across multiple EVM chains with the same deterministic address.

create2deployer

Helper smart contract to make easier and safer usage of the `CREATE2` EVM opcode.

createx

Factory smart contract to make easier and safer usage of the `CREATE` and `CREATE2` EVM opcodes as well as of `CREATE3`-based (i.e. without an initcode factor) contract creations.

hardhat-project-template-ts

A fully-fledged Hardhat project template based on TypeScript.

ecdsa-nonce-reuse-attack

This repository implements a Python function that recovers the private key from two different signatures that use the same random nonce during signature generation.

tornado-cash-exploit

This repository implements a simplified PoC that showcases how a contract can morph. A similar approach was used as part of the governance attack on Tornado Cash in May 2023.

metatx

A smart contract to enable ERC-20 token meta-transactions on Ethereum.

escrow-contract

A simple multilateral escrow smart contract for ETH and ERC-20 tokens governed by Cobie.

raw-tx

Two scripts to generate and execute a signed raw transaction with ethers.

torn-detector

Detect if a contract has been deployed in the latest (or predefined) block from an address that was previously funded through Tornado.Cash.

meth

The moment you Rust, you should look for your Mojo 🔥.

solidity-games

A repository for Solidity-based smart contract games.

batch-distributor

Helper smart contract for batch sending both native and ERC-20 tokens.

create-util

Helper smart contract to make easier and safer usage of the `CREATE` EVM opcode.

p256-verifier-vyper

P256 (a.k.a. secp256r1 elliptic curve) signature verification 🐍Vyper contract.

ethereum-key-generation-python

Generating Ethereum addresses in Python.

mnemonic-to-private-key

A JavaScript script that converts the mnemonic phrase into a wallet private key using the ethers.js library.

fork-testing-evm-compatibility

This repository implements a simple fork test on Optimism that proves that the EVM behaviour of the forked chain is not identically replicated locally.

pcaversaccio

My public profile.

erc20-permit-upgradeable

Permit-enabled, upgradeable ERC20 smart contract template.

tornado-cash-ether-withdrawal-decipherer

Deciphering the ether transactions in the Tornado.Cash withdrawals.

bitsquatting

Helper script for generating permutations of an ENS domain that differ by 1-bit from the original domain.

mass-key-generation

A repository for mass public-private key generation (Bitcoin & Ethereum).

ethereum-key-generation

A repository that shows how to generate a private / public key pair using web3.js or HD wallets.

erc20-oz-sdk

How to deploy an ERC20 smart contract using OpenZeppelin SDK and write a TokenExchange smart contract.

tokenbridge-helium-ethereum

A tokenbridge between the Helium blockchain (native network) and the Ethereum blockchain (foreign network).

chainlink-price-feed

Retrieve the ETH/USD price feed from Chainlink's oracle using Infura.

connection-vscode-to-google-colab-gpus

A step-by-step guide to connecting the local Visual Studio Code to Google Colab's GPU runtime.

zksync-vyper-sandbox

A sandbox environment for zkSync Era Vyper compiler testing.

configurations

Monorepo for my personal configurations.

pool-viewer

Similar to an ETH2 block explorer, but focused only on recent data.

porini-community-token-contract

This is Porini's ERC-20 smart contract, whose tokens can activate communities to support conservation activities and learn about blockchain technology.

pcaversaccio.github.io

My personal website.

impact-dollar-token-contract

This is Impact Dollar's ERC-20 smart contract, whose tokens can deliver a demonstrable contribution to conservation and protected areas through digital collectibles.

payfoot-token-contract

This is PayFoot's ERC-20 smart contract, whose tokens are used as stablecoins in their ecosystem.

startfeld-token-contract

This is Startfeld's ERC-20 smart contract, whose tokens are used as vouchers in their ecosystem.

randao-distribution

Empirical distribution of the randomness beacon (=RANDAO) provided by the Beacon chain.

saentis-gulden-token-contract

This is Säntis Gulden's ERC-20 smart contract, whose tokens are used as vouchers in their ecosystem.

block-explorer-swissdlt

A block explorer for the Swiss DLT blockchain.

interface-solc-test

ath-erc20-token

Smart contract of the Alethena (ATH) token.