Description

The Secp256r1 module implements critical functionality for signature validation, and it is implemented in a nonstandard and highly optimized way. To ensure that the library works in common cases, edge cases, and invalid cases, it is crucial to have proper test coverage for these types of primitives. There are currently no tests using this library, making it hard to see if it works at all.

Impact

Missing test cases could lead to critical bugs in the cryptographic primitives. These could lead to, for example,

• Signature forgery and total account takeover

• Surprising or very random gas costs

• Proper signatures not validating, leading to DOS

• Recovery of private keys in extreme cases.

Recommendations

Google has Project Wycheproof, which includes many test vectors for common cryptographic libraries and their operations. A good match for this module, which uses Secp256r1 (aka NIST P-256) and 256-bit hashes, is to use the ecdsa_secp256r1_sha256_test.json test vectors. Do note that many of these vectors target DER decoding, so it is safe to skip tests tagged "BER". Additionally, test cases where they use numbers larger than 256 bits can be ignored, as they are invalid in Solidity when using uint256 types.

These test vectors can be somewhat easily converted to Solidity library tests, giving hundreds of tests for free.

Remediation

This issue has been acknowledged by Biconomy Labs, and a fix was implemented in commit 5c5a6bfe↗.