Skip to content

[BUG] SingleKeyAccount is insecure #19434

New issue
New issue
Closed
#20766
Closed
[BUG] SingleKeyAccount is insecure#19434
#20766
Assignees
nventuro
Labels
T-bugType: Bug. Something is broken.from-communityThis originated from the community :)
@olehmisar

Description

@olehmisar
olehmisar
opened on Jan 8, 2026

What are you trying to do?

in the schnorr single key account, the ivsk_m is used as a signing key. If i give my viewing key to someone, they will be able to transact from my account. Does it make sense to use nsk_m instead?

aztec-packages/noir-projects/noir-contracts/contracts/account/schnorr_single_key_account_contract/src/util.nr

Lines 8 to 14 in e0ea846

x: witness.keys.ivpk_m.inner.x,
y: witness.keys.ivpk_m.inner.y,
is_infinite: false,
};
// In a single key account contract we re-used ivpk_m as signing key
schnorr::assert_valid_signature(public_key, witness.signature, message_bytes);

the account is exported from @aztec/accounts, so app devs are gonna import from an official npm package

from @nventuro: using ivsk as a signing key is very bad

Code Reference

Aztec Version

3.0.0

OS

No response

Browser (if relevant)

No response

Node Version

No response

Additional Context

No response

Metadata

Metadata

Assignees

Labels

T-bugType: Bug. Something is broken.from-communityThis originated from the community :)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions