Solidity 中 ECDSA 签名漏洞全面解析<\/h1>

1. 以太坊签名机制基础<\/h2>

1.1 账户与签名机制<\/h3>

在以太坊中：<\/p>

用户账户由公私钥对生成<\/li>
私钥用于对交易签名<\/li>
公钥前20字节作为账户地址<\/li>

签名机制是整个区块链的基石<\/li> <\/ul>

1.2 ECDSA 签名过程<\/h3>

以太坊使用 ECDSA (椭圆曲线数字签名算法)：<\/p>

输入参数：私钥 private_key<\/code> 和消息哈希 message_hash<\/code><\/li>
输出结果：v<\/code>、r<\/code>、s<\/code> 三个参数<\/li>

最终签名：r(32字节) + s(32字节) + v(1字节)<\/code> 拼接成65字节的 signature<\/code><\/li>
<\/ul>
2. 合约中的签名验证<\/h2>
2.1 签名恢复方法<\/h3>
合约中常用的两种签名恢复方法：<\/p>
方法一：ecrecover<\/code> (EVM预编译函数)<\/h4>
address<\/span> signer =<\/span> ecrecover(messageHash, v, r, s);
<\/span><\/span><\/code><\/pre>方法二：ECDSA.recover<\/code> (OpenZeppelin封装)<\/h4>
address<\/span> signer =<\/span> ECDSA.recover(messageHash, signature);
<\/span><\/span><\/code><\/pre>2.2 两种方法的区别<\/h3>
OpenZeppelin的 ECDSA.recover<\/code>：<\/p>

对 ecrecover<\/code> 进行了封装<\/li>
增加了预先检查<\/li>
防止ECDSA签名延展性攻击<\/li>
提供更丰富的功能支持<\/li>
但需注意紧凑型签名攻击风险<\/li>
<\/ul>
3. 常见签名验证场景<\/h2>
3.1 授权特权操作<\/h3>

通过验证单个用户签名<\/li>
允许调用者执行特权操作<\/li>
<\/ul>
3.2 用户份额累加<\/h3>

通过验证多个用户签名<\/li>
累加用户份额（类似投票机制）<\/li>
<\/ul>
4. ECDSA 签名漏洞类型及实例<\/h2>
4.1 签名重复性检验不完善<\/h3>
漏洞特征<\/strong>：<\/p>

仅检查相邻签名是否相同<\/li>
允许不同用户交替重复签名<\/li>
<\/ul>
实例分析<\/strong>：<\/p>
\/\/ 错误实现 - 仅检查相邻签名
<\/span><\/span><\/span><\/span>function<\/span> changeBridgeSettings<\/span>(bytes<\/span> memory<\/span> signature) public<\/span> {
<\/span><\/span>    require(signature !=<\/span> lastSigner, "Duplicate signature"<\/span>);
<\/span><\/span>    lastSigner =<\/span> signature;
<\/span><\/span>    \/\/ 其他逻辑...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p>

两个不同用户交替重复签名<\/li>
可无限累加份额<\/li>
<\/ul>
修复方案<\/strong>：<\/p>

应记录所有已用签名<\/li>
或记录消息哈希而非签名<\/li>
<\/ul>
4.2 ECDSA签名延展性攻击<\/h3>
漏洞原理<\/strong>：<\/p>

对于同一 r<\/code>，存在两个不同的 s<\/code> 满足要求<\/li>
可根据一个 s<\/code> 计算另一个：s' = n - s<\/code> (n为曲线阶数)<\/li>
<\/ul>
实例分析<\/strong>：<\/p>
\/\/ 使用 ecrecover 易受攻击
<\/span><\/span><\/span><\/span>address<\/span> signer =<\/span> ecrecover(messageHash, v, r, s);
<\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p>

使用 OpenZeppelin 的 ECDSA.recover<\/code><\/li>
该函数内部会检查并拒绝延展性签名<\/li>
<\/ul>
4.3 紧凑型签名攻击<\/h3>
背景知识<\/strong>：<\/p>

ERC-2098 引入紧凑型签名<\/li>
签名长度从65字节缩短到64字节<\/li>
初衷是优化EVM空间使用<\/li>
<\/ul>
漏洞特征<\/strong>：<\/p>

合约仅存储原始签名进行重复性检查<\/li>
攻击者可生成紧凑型等效签名绕过检查<\/li>
<\/ul>
修复方案<\/strong>：<\/p>

应存储和检查消息哈希 (digest<\/code>) 而非签名<\/li>
修改 nullifiers<\/code> 存储结构：<\/li>
<\/ul>
mapping<\/span>(bytes32<\/span> =><\/span> bool<\/span>) private<\/span> usedDigests; \/\/ 存储用过的消息哈希
<\/span><\/span><\/span><\/code><\/pre>4.4 不遵守规范的无限签名<\/h3>
漏洞原理<\/strong>：<\/p>

RFC-6979 规定应使用确定性 k<\/code> 进行签名<\/li>
但 ecrecover<\/code> 不检查 k<\/code> 是否符合标准<\/li>
攻击者可生成无数个有效签名<\/li>
<\/ul>
防护措施<\/strong>：<\/p>

严格检查消息哈希的唯一性<\/li>
绝不依赖签名本身的唯一性<\/li>
<\/ul>
5. 最佳实践总结<\/h2>


优先使用 OpenZeppelin 的 ECDSA<\/code> 库<\/strong>：<\/p>

提供更安全的封装<\/li>
防止常见攻击<\/li>
<\/ul>
<\/li>

正确的重复性检查<\/strong>：<\/p>
\/\/ 正确做法 - 检查消息哈希
<\/span><\/span><\/span><\/span>bytes32<\/span> digest =<\/span> keccak256(abi.encodePacked(message));
<\/span><\/span>require(!<\/span>usedDigests[digest], "Signature already used"<\/span>);
<\/span><\/span>usedDigests[digest] =<\/span> true<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

消息格式标准化<\/strong>：<\/p>

使用以太坊签名标准格式<\/li>
包含 \x19Ethereum Signed Message:\n<\/code> 前缀<\/li>
<\/ul>
<\/li>

签名验证完整流程<\/strong>：<\/p>
function<\/span> verify<\/span>(
<\/span><\/span>    address<\/span> signer,
<\/span><\/span>    bytes32<\/span> hash,
<\/span><\/span>    bytes<\/span> memory<\/span> signature
<\/span><\/span>) internal<\/span> {
<\/span><\/span>    require(signer ==<\/span> ECDSA.recover(hash, signature), "Invalid signature"<\/span>);
<\/span><\/span>    require(!<\/span>usedHashes[hash], "Signature already used"<\/span>);
<\/span><\/span>    usedHashes[hash] =<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

警惕签名变体<\/strong>：<\/p>

考虑所有可能的签名格式<\/li>
包括标准签名和紧凑型签名<\/li>
<\/ul>
<\/li>
<\/ol>
6. 高级防护技巧<\/h2>


添加 nonce 机制<\/strong>：<\/p>
mapping<\/span>(address<\/span> =><\/span> uint256<\/span>) public<\/span> nonces;
<\/span><\/span>
<\/span><\/span>function<\/span> verifyWithNonce<\/span>(
<\/span><\/span>    address<\/span> signer,
<\/span><\/span>    bytes32<\/span> hash,
<\/span><\/span>    bytes<\/span> memory<\/span> signature,
<\/span><\/span>    uint256<\/span> nonce
<\/span><\/span>) internal<\/span> {
<\/span><\/span>    require(nonce ==<\/span> nonces[signer], "Invalid nonce"<\/span>);
<\/span><\/span>    nonces[signer]++<\/span>;
<\/span><\/span>    verify(signer, hash, signature);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

时间限制签名<\/strong>：<\/p>
function<\/span> verifyWithTime<\/span>(
<\/span><\/span>    address<\/span> signer,
<\/span><\/span>    bytes32<\/span> hash,
<\/span><\/span>    bytes<\/span> memory<\/span> signature,
<\/span><\/span>    uint256<\/span> expiry
<\/span><\/span>) internal<\/span> {
<\/span><\/span>    require(block.timestamp <=<\/span> expiry, "Signature expired"<\/span>);
<\/span><\/span>    verify(signer, hash, signature);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

上下文绑定<\/strong>：<\/p>

在签名消息中包含合约地址<\/li>
防止跨合约重放攻击<\/li>
<\/ul>
<\/li>
<\/ol>
7. 测试建议<\/h2>


测试用例应包括<\/strong>：<\/p>

标准签名验证<\/li>
紧凑型签名验证<\/li>
签名重放尝试<\/li>
延展性签名尝试<\/li>
过期签名验证<\/li>
<\/ul>
<\/li>

使用多样化工具测试<\/strong>：<\/p>
\/\/ 使用不同库生成签名进行测试
<\/span><\/span><\/span><\/span>const<\/span> signature1<\/span> =<\/span> web3<\/span>.eth<\/span>.sign<\/span>(message<\/span>, privateKey<\/span>);
<\/span><\/span>const<\/span> signature2<\/span> =<\/span> ethers<\/span>.utils<\/span>.splitSignature<\/span>(
<\/span><\/span>    await<\/span> wallet<\/span>.signMessage<\/span>(message<\/span>)
<\/span><\/span>);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
8. 总结<\/h2>
Solidity 中的 ECDSA 签名验证看似简单，实则暗藏多种安全隐患。开发者必须：<\/p>

深入理解 ECDSA 算法特性<\/li>
使用经过验证的安全库<\/li>
实施全面的重复性检查<\/li>
考虑所有可能的签名变体<\/li>
设计完整的签名生命周期管理<\/li>
<\/ol>
遵循这些原则，才能确保基于签名的智能合约功能既安全又可靠。<\/p>

Solidity 中 ECDSA 签名漏洞全面解析<\/h1>

1. 以太坊签名机制基础<\/h2>

2. 合约中的签名验证<\/h2>

2.1 签名恢复方法<\/h3> 合约中常用的两种签名恢复方法：<\/p>

3. 常见签名验证场景<\/h2>

4. ECDSA 签名漏洞类型及实例<\/h2>

2.1 签名恢复方法<\/h3>
合约中常用的两种签名恢复方法：<\/p>