Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks
Vulnerability Description
gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0.
CVSS Information
N/A
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
gnark 数据伪造问题漏洞
Vulnerability Description
gnark是Consensys开源的一个快速的 zk-SNARK 库。供高级 API 来设计电路。 gnark 0.14.0之前版本存在数据伪造问题漏洞,该漏洞源于签名验证不完整,可能导致签名可塑性攻击。
CVSS Information
N/A
Vulnerability Type
N/A