Last week a monster in Ethereum’s dark forest revealed itself to me. 16 hours prior to their reveal I had laid down cryptographic bait after hearing of its existence from tux. I expected it, but it was still surprising to refresh Etherscan and see that all my Ether was gone.
This monster was watching Ethereum for an obscure mistake deep in the process of creating a transaction: the reuse of a number while signing a transaction. I went searching for this creature, laid bait, saw it in the wild, and found unexplained tracks. To understand how this bot works, we need to begin by reviewing ECDSA and digital signatures.
Underpinning the two largest cryptocurrencies – Bitcoin and Ethereum – is the elliptic curve digital signature algorithm, or ECDSA. As the name suggests ECDSA is a scheme for producing digital signatures. These signatures are how we prove ownership of our accounts and assets. Each signature proves two things:
- That you possess some secret called a private key. Every private key is tied to a publicly known key called a public key. Your crypto “address” is a public key.
- That you used your private key to sign a particular message. In our case messages are transactions.
ECDSA works because of the fact that you can easily use a private key to generate a public key, but you can’t use a public key to derive a private key. You can, however, use a signature to back out a private key under some limited conditions. This gets somewhat technical, but bear with me.
To generate signatures ECDSA takes a private key d, a random number k, and the hash of a message h. It combines these with Q the public key associated with the private key d, as well as two numbers that are standardized by the ECDSA algorithm, G and n. Together these are used to compute a digital signature with the following algorithm:
Together r and s form a digital signature.
The random number k used in ECDSA signatures is critical. It should never be revealed and should only ever be used once. That is why this random number is also called a nonce and I’ll use nonce from here on out when referring to k. If an attacker learns what nonce was used to generate a particular signature then they can recover the private key used to sign that message. With some algebra the following formula can be derived:
Similarly, if a nonce is ever reused across two different signatures then the private key used to sign those signatures can be recovered. Again, with some algebra we can derive the nonce used from the following equation:
With the nonce we then can recover the private key as above.
So how can we tell if a nonce has been reused?
Recall the formula for generating r in the ECDSA algorithm r = k * G mod n. Given that G and n are simply numbers that remain fixed the only variable that changes from signature to signature i
