File: crates/identity/src/lib.rs:336-338
Severity: security
Obvious? no
pub fn verify(...) calls key.verify(data, sig), the non-strict ed25519-dalek API. This permits non-canonical/malleable encodings of S (and accepts mixed-order R points). For Willow this is partially mitigated because event identity is the SHA-256 of the SignableContent (sig-independent) and the DAG rejects duplicates (dag.rs:160), so signature malleability cannot create two distinct events. However, this same verify is used as a generic primitive in the codebase — any caller that uses signature bytes themselves as an identity or freshness token would be vulnerable.
Fix: switch to key.verify_strict(...) for defense-in-depth and to align with RFC 8032 / CCTP guidance.
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
crates/identity/src/lib.rs:336-338Severity: security
Obvious? no
pub fn verify(...)callskey.verify(data, sig), the non-strict ed25519-dalek API. This permits non-canonical/malleable encodings of S (and accepts mixed-order R points). For Willow this is partially mitigated because event identity is the SHA-256 of the SignableContent (sig-independent) and the DAG rejects duplicates (dag.rs:160), so signature malleability cannot create two distinct events. However, this sameverifyis used as a generic primitive in the codebase — any caller that uses signature bytes themselves as an identity or freshness token would be vulnerable.Fix: switch to
key.verify_strict(...)for defense-in-depth and to align with RFC 8032 / CCTP guidance.Filed by
/general-audit@6404719(2026-05-03). master: #567.