Vulnerabilities

Signature Malleability

Signature malleability is the ability to transform a valid signature into another valid signature for the same message.

Signature malleability means the same approval can have more than one valid-looking signature.

Signature Malleability Explained in Detail

Signature malleability means one valid signature can be transformed into another valid signature for the same message. In ECDSA, high-s variants are the classic concern.

Modern libraries usually reject malleable forms, but raw ecrecover usage can still be risky.

Smart contract example

address signer = ecrecover(digest, v, r, s);

Raw recovery needs extra checks for zero address, valid v, and low s.

Signature Malleability in Auditing

Malleability can break replay protection if a contract tracks used signatures by raw signature bytes. An attacker may submit a different byte representation for the same message.

Auditors review signature validation and used-state tracking.

Red flags in code

  • Raw ecrecover is used without low-s checks.

  • Both v formats are accepted inconsistently.

  • Used signatures are tracked by signature bytes instead of digest or nonce.

  • Zero-address signer is accepted.

  • Signature checks do not use a reviewed ECDSA library.

How to test or review it

  • Submit high-s and low-s variants where possible.

  • Test v values 27, 28, 0, and 1 according to expected rules.

  • Replay the same digest with altered signature bytes.

  • Track used authorizations by nonce or digest.

  • Prefer audited ECDSA helpers for signature recovery.

Sources