Improper Verification of Cryptographic Signature
The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.
Advisories for Npm/Starkbank-Ecdsa package
2021
Signature verification vulnerability in Stark Bank ecdsa libraries
An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.