SCWE-114: ECDSA Nonce Reuse
Stable Version v1.0
This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Relationships¶
- CWE-323: Reusing a Nonce, Key Pair in Encryption
https://cwe.mitre.org/data/definitions/323.html
Description¶
Reusing the same ECDSA nonce (k) across signatures (or using predictable nonces) leaks the private key. Contracts that accept off-chain signatures for permits, meta-txs, or governance can be compromised if signing infrastructure mismanages nonces.
Remediation¶
- Use battle-tested libraries/wallets that generate unique, random or RFC6979 deterministic nonces per message.
- Monitor and rotate keys if nonce reuse is suspected; support key revocation on-chain.
- Avoid custom signing code or manual nonce management in scripts.
Examples¶
Vulnerable¶
// Off-chain signer reuses k for two messages:
// sig1 = (r, s1) with k
// sig2 = (r, s2) with same k => private key can be recovered
Fixed¶
// Off-chain: Use libraries/wallets that follow RFC6979; never reuse k.
// On-chain: Support key rotation so compromised keys can be revoked.
mapping(address => bool) public revokedSigners;
function execute(bytes calldata payload, bytes calldata sig) external {
address signer = _recoverSigner(payload, sig);
require(!revokedSigners[signer], "key revoked");
// ...
}