This may result in a loss of funds in transactions using these secp256k1-compatible ECDSA keys.

The secp256k1-js package before 1.1.0 for Node.js has an issue where it does not implement ECDSA with r and s values that are required in the secp256k1 curve. This causes ECDSA signatures to fail to validate and allow for the creation of invalid signed messages. This issue may be exploited by an attacker to forge signatures to the secp256k1-compatible ECDSA keys, resulting in the theft of funds. To update your package and avert this risk, please upgrade to the latest version of secp256k1-js.
Affected versions: v1.0.0 to v1.0.0-rc.4 for Node.js. A security issue has been identified with secp256k1-compatible ECDSA keys implemented in the secp256k1-js package for Node.js. This package does not implement ECDSA with required r and s values, resulting in ECDSA signatures failing to validate. This may allow an attacker to forge signatures to the secp256k1-compatible ECDSA keys, resulting in the theft of funds. To update your package and avert this risk, please upgrade to the latest version of secp256k1-js. A security issue has been identified with secp256k1

Summary

A security issue has been identified with secp256k1-compatible ECDSA keys implemented in the secp256k1-js package for Node.js. This package does not implement ECDSA with required r and s values, resulting in ECDSA signatures failing to validate. This may allow an attacker to forge signatures to the secp256k1-compatible ECDSA keys, resulting in the theft of funds. To update your package and avert this risk, please upgrade to the latest version of secp256k1-js.

Summary of vulnerability

This may result in a loss of funds in transactions using these secp256k1-compatible ECDSA keys.
Affected versions: v1.0.0 to v1.0.0-rc.4 for Node.js

What is the secp256k1 curve?

The secp256k1 curve is a 256-bit elliptic curve which forms the basis for ECDSA signatures used in Bitcoin and Ethereum. It was chosen by the IETF as the primary curve to use in certificates, TLS, and SSH.

Summary of Risk

If you use Node.js and the secp256k1-js package, you are vulnerable to this issue.

A security issue has been identified with secp256k1-compatible ECDSA keys implemented in the secp256k1-js package for Node.js. This package does not implement ECDSA with required r and s values, resulting in ECDSA signatures failing to validate. This may allow an attacker to forge signatures to the secp256k1-compatible ECDSA keys, resulting in the theft of funds. To update your package and avert this risk, please upgrade to the latest version of secp256k1-js.

Timeline

Published on: 09/24/2022 19:15:00 UTC
Last modified on: 09/28/2022 15:55:00 UTC

References