Polkadot Frontier Curve25519 Precompile Input Validation Vulnerability

A vulnerability exists in the Curve25519Add and Curve25519ScalarMul precompiles of Polkadot Frontier, an Ethereum compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, these precompiles improperly process invalid Ristretto point representations. Instead of generating an error, they mistakenly interpret invalid input bytes as the Ristretto identity element, which can lead to incorrect cryptographic outcomes. This issue could allow an attacker to bypass cryptographic checks, potentially enabling signature forgery or compromising key exchanges.

Impact

Exploitation of this vulnerability could disrupt the integrity of cryptographic operations, allowing for signature forgery or manipulation of key exchanges. In a multi-signature scheme, for instance, an attacker could submit an invalid Ristretto point as a public key, which would be incorrectly counted towards the signing threshold, facilitating unauthorized signature creation.

Reproduction

The vulnerability can be reproduced by sending an invalid compressed Ristretto point to the Curve25519Add or Curve25519ScalarMul precompiles. This can be done by deploying a smart contract that calls these precompiles with malformed point data, such as a point compressed incorrectly or a point that does not exist on the curve.

Remediation

The vulnerability has been addressed in Polkadot Frontier version 0.3.0. Users should upgrade to this version or later.