Security issue: insecure dep is used, upgrade to something better #600
Comments
|
When you say it allows forged signatures, do you mean it can easily generate forged signatures, or it validates forged signatures? Could you link to a cve or some vulnerability report so i can review this? Thank you. |
|
It seems to have to do with the verification of the signature using the ed25519 class provided by tweetnacl, referencing your issue in the parent repo was helpful dchest/tweetnacl-js#253 I agree we should probably find a way to negate this. |
|
https://github.com/paulmillr/noble-curves fixes this, it's very easy to switch |
|
I hope you can understand why someone would hesitate to move a mission-critical security library that has been stable for years to someone promoting their own repository, whose code was audited prior to a 1.0 release. Notably, this isn't a Stellar issue (the network itself uses |
Yeah, I promote it, and because of the promotion it's been funded by ethereum foundation, optimism, used in many wallets, protonmail, and others. I don't see any problem with promotion and proper competition. Do you? |
|
Also not sure what this means
I've released noble-ed25519 in june 2019, 4 years ago. Promoting a new player in the field was hard and time-consuming. The first audit of secp was executed in april 2021, 26 months ago. |
|
It's time to hack stellar. |
You are using tweetnacl, which allows forged signatures.
I suggest to upgrade to noble-curves, which are modern, audited, support ESM+Common.js and a bunch of other stuff. The noble libraries are used all over Ethereum and Solana ecosystems already.
The text was updated successfully, but these errors were encountered: