Missing enforcment of valid r
range in ecrecover
#9
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-13
nullified
Issue is high quality, but not accepted
🤖_67_group
AI based duplicate group recommendation
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/precompiles/ec_recover.cairo#L40
Vulnerability details
Impact
The valid range of
r
is not being enforced when calling ecrecover. This causes an issue where ifr
is set outside its valid range (as defined by the Ethereum yellow paper), Kakarot will panic, while on Ethereum, it will simply returnaddress(0)
.Proof of Concept
According to the Ethereum yellow paper, an ECDSA signature is only valid if all the following conditions are true:
0 < r < secp256k1n
0 < s < secp256k1n / 2 + 1
v = 27 || 28
where
secp256k1n = 115792089237316195423570985008687907852837564279074904382605163141518161494337 = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
https://ethereum.github.io/yellowpaper/paper.pdf
If
s
andv
are valid, butr
exceeds its maximum value (i.e.,r >= 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
):address(0)
.This is a significant difference between Kakarot and Ethereum.
The issue occurs when the precompiler
ecrecover
is invoked, and the following function is executed:https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/precompiles/ec_recover.cairo#L40
This function does not enforce the valid range for
r
. It should ensure thatr
is between1
and0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140
, as explained in the Recommendation section.PoC
In the following tests,
s
andv
are valid, butr
is outside the valid range. On Ethereum, ecrecover returnsaddress(0)
, but on Kakarot, the system panics, as shown in the output logs.To run the end-to-end tests correctly, the
make test-end-to-end13
command should be used, as defined in theMakefile
.The output log is:
Tools Used
Recommended Mitigation Steps
The following modifications are needed to constraint the valid range of
r
:https://github.com/kkrt-labs/kakarot/blob/7411a5520e8a00be6f5243a50c160e66ad285563/src/kakarot/precompiles/ec_recover.cairo#L40
Assessed type
Context
The text was updated successfully, but these errors were encountered: