Input signal s is not constrained in eff_ecdsa.circom：When s=0 and T is different, the output varies

[Subway2023]

Bug report says that if we set s = 0 and (Ux, Uy) = pubKey, then (Tx, Ty) can be any pair of values.

My understanding is that if s=0, U is the same, and T is a different set of inputs, the same output should be obtained, but the result is not like this.

Test0

input.json

{
    "s": 0,
    "Tx": 8,
    "Ty": 9,
    "Ux": 3,
    "Uy": 4
}

public.json

[
 "7805858560854569819918975737687721771085126966751833164347832040877563070443",
 "16988790562614459202550337482205732142865207045186758803081396539830677481293"
]

Test1

input.json

{
    "s": 0,
    "Tx": 1,
    "Ty": 2,
    "Ux": 3,
    "Uy": 4
}

public.json

[
 "14105996747538665747038049000821378756510778545708046207861391876868245570302",
 "11208388174384675725594554820360477132639829119066243891901010234274989220235"
]

I think the above two sets of inputs should receive the same output

[Subway2023]

In my tests, when Tx and Ty are 0, regardless of the value of s, pubKeyX equals Ux and pubKeyY equals Uy. Therefore, I believe this bug is due to insufficient constraints on Tx and Ty, rather than the insufficient constraints on s mentioned in the audit report.

[StefanosChaliasos]

@Subway2023, can you please create a PR to fix this issue?