F-2025-0025·cryptography

Missing curve validation in encodeEthSecp256k1Pubkey

Acknowledgedtypescriptwidgetrouter-api

TL;DR

encodeEthSecp256k1Pubkey did not validate that the public key was on the secp256k1 curve. Off-curve inputs would encode successfully and propagate downstream as nominally valid pubkeys.

Severity

LOW

Impact

MEDIUM

Likelihood

LOW

Method

MManual review

CAT.

Complexity

MEDIUM

Exploitability

LOW

02Section · Description

Description

encodeEthSecp256k1Pubkey accepted public key bytes and encoded them without verifying that the bytes represented a valid point on the secp256k1 curve. Off-curve inputs would encode as if valid, propagating downstream into signing or verification paths where the inconsistency could cause subtle failures.

03Section · Recommendation

Recommendation

Validate that the input bytes form a valid secp256k1 point before encoding. Reject off-curve inputs with a clear error.

Initia: Acknowledged. Pashov Audit Group: Acknowledged.