Skip to content

Commit

Permalink
Enhance Safe.sol with ECDSA malleability warning (#877)
Browse files Browse the repository at this point in the history
Added a comment in the Safe contract to clarify that the `s` value of
ECDSA signatures is not enforced to be in the lower half of the curve.
This note explains the implications of ECDSA malleability and reassures
that existing mechanisms are in place to prevent duplicate signatures
and replay attacks. No functional changes were made to the contract
logic.
  • Loading branch information
mmv08 authored Jan 9, 2025
1 parent 8aa4551 commit 19e1d63
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions contracts/Safe.sol
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,10 @@ contract Safe is
address currentOwner;
uint256 v; // Implicit conversion from uint8 to uint256 will be done for v received from signatureSplit(...).
bytes32 r;
// NOTE: We do not enforce the `s` to be from the lower half of the curve
// This essentially means that for every signature, there's another valid signature (known as ECDSA malleability)
// Since we have other mechanisms to prevent duplicated signatures (ordered owners array) and replay protection (nonce),
// we can safely ignore this malleability.
bytes32 s;
uint256 i;
for (i = 0; i < requiredSignatures; i++) {
Expand Down

0 comments on commit 19e1d63

Please sign in to comment.