Consensys gnark Signature Malleability Vulnerability in EdDSA and ECDSA Circuits

A signature malleability vulnerability has been identified in the Consensys gnark framework, specifically within the EdDSA and ECDSA circuits, in versions prior to 0.14.0. The issue arises because the Verify function in both 'eddsa.go' and 'ecdsa.go' files used the S value from a signature without validating that it fell within the acceptable range. This oversight allowed for the creation of multiple distinct witnesses that could satisfy the same public inputs, leading to potential double spending in protocols that relied on nullifiers or anti-replay checks derived from the signature values.

Impact

Exploitation of this vulnerability allows for signature malleability, where a forged signature can be created that is accepted as valid by the system. This could lead to double spending in financial applications by allowing a spent asset to be reused.

Reproduction

The vulnerability can be reproduced by creating a signature using the EdDSA or ECDSA implementation in gnark versions prior to 0.14.0. After generating a valid signature, the S value can be manipulated by adding the order of the group, creating a forged signature that is still accepted by the verification process. This forged signature can then be used in a circuit that checks for signature validity, demonstrating the malleability by showing that the circuit accepts the forged signature as valid, while the original signature and the forged one are different.

Remediation

Users can upgrade to gnark version 0.14.0 or later, where this vulnerability has been addressed.