Paul Miller

Read this https://github.com/micromatch/braces/pull/37#issuecomment-2121649614

PoC ```js for (let repeats = 1; repeats

>compact signatures that also happen to be valid DER If we're talking about secp256k1, here how this could look like: - First byte is `0x30` - Second byte is `0x3e`...

Use ts-ignore for now, will fix later

> This condition could be deliberately induced, to produce consensus-breaking side-effects Induced at which point exactly? Could you describe an attack?

This is worth considering for the next breaking release, which won't happen soon because of our release cadence (unless there's a probable security issue). The reason it was made like...

I've written the bruteforcer to find such signatures, nothing interesting so far: ```js import { secp256k1 } from '@noble/curves/secp256k1'; import { bytesToHex } from '@noble/curves/abstract/utils'; const priv = new Uint8Array(32).fill(4);...

`true == verify_in_compact(sig, msg_a, pub) == verify_in_der(sig, msg_b, pub)`, is the condition we're looking for.

It's really cool that you've spent time on this! Thank you. For the malleability to happen, an attacker would need to have distinct msg_a verifiable=true under sig (der hex) and...

>Likewise, if the original signature was provided in DER form, an attacker can convert it to compact form. The attacker could also convert hex to bytes, or to Signature instance....