Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Crypto soundness

Finding 07: Missing Signature Verification in Offline ECDSA

Zion Boggan · April 11, 2026 · coordinated disclosure

Severity: P3 (Medium), Invalid signatures returned silently

Summary

The offline ECDSA signing path combines partial signatures but does NOT verify the final result. A malicious cosigner can submit a corrupted partial s_i producing an invalid combined signature returned without error. The online path explicitly calls GFp_curve_algebra_verify_signature() before returning.

Location

  • File: src/common/cosigner/cmp_ecdsa_offline_signing_service.cpp, lines 425-447
  • Missing: Final signature verification (present in online path at cmp_ecdsa_online_signing_service.cpp:483)

Remediation

Add algebra->verify() call after signature combination in the offline path.

Source · github.com/zionsworking/security-research-notebook · writeups/fireblocks/07-offline-ecdsa-no-sig-verify-P3.md