Java’s implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.

There are two issues at play:

1.The r and s values provided in signature were not checked to ensure they were in-range (greater than 0 and less than the order of the curve.

1. Mathematically there is no defined multiplicative inverse for 0, however the Java implementation returned 0 as the inverse of 0.

These two issues combine such that a signature with an r and s of 0 will return as a valid signature for any private key. As this ultimately resolves to multiplication by 0 in calculating the “real” signature.

We previously covered this same issue in the Stark Bank library for Python