The Ethereum Virtual Machine (EVM) provides a pre-compile to verify and recover signers of ECDSA signed messages. However, there are a couple of interesting quirks one should know about ecrecover() that may affect the security of the system using it.
⇒ 🕹️ Demo Playground [Görli]
⇒ 📄 EcdsaSignaturePlayground.sol
Have fun, play around with the DEMO_* methods or convert signature params using flipSignatureParams() (see 1).
For a valid ECDSA signature sig = (v, r, s) for message hash(m) there exists a sister signature pair sig' = (v', r, -s mod N) that validly verifies the same message hash(m).
The sister sig' can be created as follows:
v'... flipv=[27,28] ⇢ v'=[28,27])r... keeprs'... calculate-s mod N
⇒ EcdsaSignaturePlayground.DEMO_malleableSignatureParams(): Returns the 'sister signature' params for the demo signature DEMO_getDemoSignature().
⇒ EcdsaSignaturePlayground.flipSignatureParams(): directly convert your signature params to another valid set.
Never use the raw signature bytes or signature parameters as a unique identifier in your system (see CWE-347: Improper Verification of Cryptographic Signature). Safe implementation: OpenZeppelin's ECDSA.sol.
This, can be forced by setting ...
s... to a random value
⇒ EcdsaSignaturePlayground.DEMO_arbitrarySigner(): Modifies DEMO_getDemoSignature() to make ecrecover() return a random address.
Ensure the address recovered from the signature is an address you expect in the system.
ecrecover() does not throw but returns address(0x0) on error.
This, can be forced by setting an ...
vto an invalid valuerto a value that is not in the field secp256k1 (> SECP256K1_N)
⇒ EcdsaSignaturePlayground.DEMO_forcedRecoverError(): Intentionally fails ecrecover by modifying the demo signature DEMO_getDemoSignature() to return address(0x0).
Reject signatures that recover to address(0x0) as this is indicative of an error condition.