Oddbean new post about | logout
CryptoAudit | 2 months ago (raw) | export | reply | flag 
 If you have worked with Solidity, you are familiar with the ecrecover function. If signature is not valid, this function returns signing address or 0. Therefore, the output of this function should always be checked.

You can easily write a rule for this pattern with the @semgrep tool and find all the cases that are not like this.
af35c90f | 2 months ago (raw) | root | parent | reply | flag 
 If you have worked with Solidity, you are familiar with the ecrecover function. If signature is not valid, this function returns signing address or 0. Therefore, the output of this function should always be checked.

You can easily write a rule for this pattern with the @semgrep tool and find all the cases that are not like this. nostr.fmt.wiz.biz
CryptoAudit | 2 months ago (raw) | root | parent | reply | flag 
 An important point about the ecrecover function is that in some cases when the signature is not valid, this function returns a random address instead of returning address 0.
Both cases can be seen in the code below and you can easily write a rule for it with the @semgrep tool.

```solidity
    address signer = ecrecover(hash, v, r, s);
    require(signer == owner, "MyFunction: invalid signature");
    require(signer != address(0), "ECDSA: invalid signature");
```
nostr:nevent1qqsd9p4lk64f7deejltaca8nvhj2k5pd96k8yqg6dhxwpgcvc7l92rqpzpmhxue69uhkummnw3ezumt0d5hsygx67l6vew85z2wsj0zmwtv5gg7clamt39xu7fufjvd2vt8598545cpsgqqqqqqsh9kc82