15 KiB
15 KiB
Exploit PoC Test Catalog
UltrafastSecp256k1 — Security-driven exploit test inventory
Last updated: 2026-03-24 | Total: 86 exploit PoC files
Every file in
audit/test_exploit_*.cppis a standalone security-focused "proof-of-concept" test that drives a specific attack surface, protocol invariant, or correctness property. All tests are built as standalone binaries and compiled intounified_audit_runner.
Summary by Category
| Category | Files | Tests |
|---|---|---|
| Adaptor Signatures | 2 | adaptor_extended, adaptor_parity |
| Address / Encoding | 3 | address_generation, segwit_encoding, selftest_api |
| Batch Verification | 3 | batch_schnorr, batch_soundness, batch_verify_correctness |
| BIP-32 HD Derivation | 3 | bip32_depth, bip32_derivation, bip32_path_overflow |
| BIP-39 Mnemonic | 2 | bip39_entropy, bip39_mnemonic |
| BIP-143/144 SegWit | 2 | bip143_sighash, bip144_serialization |
| BIP-324 Transport | 4 | bip324_counter_desync, bip324_session, bip324_transcript_splice, ellswift |
| ChaCha20-Poly1305 | 2 | chacha20_nonce_reuse, chacha20_poly1305 |
| CT Layer | 1 | ct_recov |
| ECDH | 3 | ecdh, ecdh_degenerate, ecdh_variants |
| ECDSA | 4 | ecdsa_der_confusion, ecdsa_edge_cases, ecdsa_recovery, recovery_extended |
| ECIES Encryption | 3 | ecies_auth, ecies_encryption, ecies_roundtrip |
| Ethereum | 2 | eth_signing, wallet_api |
| Field / Scalar Math | 4 | field_arithmetic, scalar_group_order, scalar_invariants, point_group_law |
| FROST | 7 | frost_commitment_reuse, frost_dkg, frost_index, frost_lagrange_duplicate, frost_participant_zero, frost_signing, frost_threshold_degenerate |
| GLV / MSM | 3 | glv_endomorphism, multiscalar, pippenger_msm |
| Hash / KDF | 5 | hkdf_security, keccak256_kat, sha512_kat, sha_kat, bitcoin_message_signing |
| HD Multi-Coin | 1 | coin_hd_derivation |
| MuSig2 | 5 | musig2, musig2_key_agg, musig2_nonce_reuse, musig2_ordering, musig2_transcript_fork |
| Pedersen / ZK | 4 | pedersen_homomorphism, pedersen_adversarial, zk_proofs, zk_adversarial |
| Private Key | 1 | private_key |
| Schnorr | 1 | schnorr_edge_cases |
| Taproot | 2 | taproot_scripts, taproot_tweak |
Full Catalog
Adaptor Signatures
| File | Purpose |
|---|---|
test_exploit_adaptor_extended.cpp |
Extended security properties of Schnorr + ECDSA adaptor signatures: pre-signature blindness, extracted secret correctness, wrong-secret detection |
test_exploit_adaptor_parity.cpp |
Adaptor signature R.y parity enforcement — verifies that adaptor adaption enforces even/odd parity on the hidden value |
Address & Encoding
| File | Purpose |
|---|---|
test_exploit_address_generation.cpp |
Bitcoin address generation security: P2PKH, P2WPKH (bech32), P2TR across mainnet/testnet, cross-type isolation |
test_exploit_segwit_encoding.cpp |
SegWit scriptPubKey construction and witness script validation (P2WPKH, P2WSH, P2TR opcodes) |
test_exploit_selftest_api.cpp |
Selftest API completeness and determinism: ufsecp_selftest() returns consistent results |
Batch Verification
| File | Purpose |
|---|---|
test_exploit_batch_schnorr.cpp |
Schnorr batch verification soundness — a forged signature embedded in a batch must be detected, individual verify must agree |
test_exploit_batch_soundness.cpp |
Batch signature verification correctness: valid-all-pass, single-corrupt-detected, empty-batch behavior |
test_exploit_batch_verify_correctness.cpp |
Correctness and security of schnorr_batch_verify vs individual verify; cached vs uncached parity |
BIP-32 HD Derivation
| File | Purpose |
|---|---|
test_exploit_bip32_depth.cpp |
BIP-32 uint8_t depth silent overflow: depth=255 → child depth=0 must be caught or behave safely |
test_exploit_bip32_derivation.cpp |
BIP-32 hierarchical derivation correctness and key isolation: hardened vs normal, known test vectors |
test_exploit_bip32_path_overflow.cpp |
BIP-32 path parser integer overflow and boundary conditions: index > 2^31, hardened on public key, empty path |
BIP-39 Mnemonic
| File | Purpose |
|---|---|
test_exploit_bip39_entropy.cpp |
BIP-39 mnemonic security: entropy → mnemonic → validate → seed, 128-bit and 256-bit entropy, wordlist coverage |
test_exploit_bip39_mnemonic.cpp |
BIP-39 generation, validation, and seed derivation: determinism, invalid words, passphrase isolation |
BIP-143 / BIP-144 SegWit Signing
| File | Purpose |
|---|---|
test_exploit_bip143_sighash.cpp |
BIP-143 SegWit v0 signature hash: P2WPKH script_code construction, sighash determinism, NULL arg rejection |
test_exploit_bip144_serialization.cpp |
BIP-144 witness transaction serialization: txid vs wtxid, witness commitment (coinbase output) |
BIP-324 Encrypted Transport
| File | Purpose |
|---|---|
test_exploit_bip324_counter_desync.cpp |
BIP-324 failed-packet robustness: forged packets must be rejected without advancing the receiver nonce/counter and desynchronizing later authentic traffic |
test_exploit_bip324_session.cpp |
BIP-324 v2 P2P encrypted transport: session handshake, AEAD encrypt/decrypt, garbage terminator, decoy packets |
test_exploit_bip324_transcript_splice.cpp |
BIP-324 transcript and packet-counter binding: mixed header/body splice attacks across sessions or counters must fail |
test_exploit_ellswift.cpp |
ElligatorSwift (BIP-324 XDH): encoding is uniform, ECDH shared secret is symmetric, different keys produce different secrets |
ChaCha20-Poly1305
| File | Purpose |
|---|---|
test_exploit_chacha20_nonce_reuse.cpp |
ChaCha20-Poly1305 nonce-reuse attack: same nonce + different plaintext → keystream reuse, AEAD authentication fails |
test_exploit_chacha20_poly1305.cpp |
RFC 8439 AEAD correctness: encrypt/decrypt, tampered tag, tampered ciphertext, wrong nonce rejection |
CT (Constant-Time) Layer
| File | Purpose |
|---|---|
test_exploit_ct_recov.cpp |
CT violation test for ct::ecdsa_sign_recoverable: verifies constant-time routing is active, timing uniformity |
ECDH
| File | Purpose |
|---|---|
test_exploit_ecdh.cpp |
ECDH key agreement: symmetry (A→B == B→A), 3-party isolation, SHA256 shared secret, x-only variant |
test_exploit_ecdh_degenerate.cpp |
ECDH degenerate inputs: zero private key (graceful failure), point-at-infinity, order-multiple scalar |
test_exploit_ecdh_variants.cpp |
ECDH variants: ecdh_compute, ecdh_compute_raw, ecdh_compute_xonly — correctness, symmetry, isolation |
ECDSA
| File | Purpose |
|---|---|
test_exploit_ecdsa_der_confusion.cpp |
ECDSA DER strictness: alternate byte encodings of the same logical signature must be rejected unless they are the single canonical DER form |
test_exploit_ecdsa_edge_cases.cpp |
ECDSA edge cases: low-S normalization, k=1/k=n-1 boundary keys, wrong-key/tampered-message rejection |
test_exploit_ecdsa_recovery.cpp |
ECDSA key recovery: recid encoding, recovered key matches signer, invalid sig returns error |
test_exploit_recovery_extended.cpp |
Extended ECDSA recovery: recid 0-3 coverage, compact form, cross-chain isolation |
ECIES Encryption
| File | Purpose |
|---|---|
test_exploit_ecies_auth.cpp |
ECIES authentication bypass: tampered HMAC tag, tampered ciphertext, tampered ephemeral key all cause decryption failure |
test_exploit_ecies_encryption.cpp |
ECIES encrypt/decrypt IND-CCA properties: probabilistic (different ephemeral per run), wrong-key rejection, overhead size |
test_exploit_ecies_roundtrip.cpp |
ECIES end-to-end: plaintext recovery, truncated envelope failure, 1024-byte message roundtrip |
Ethereum
| File | Purpose |
|---|---|
test_exploit_eth_signing.cpp |
Ethereum signing security: EIP-191 personal sign, EIP-155 chain ID replay protection, ecrecover correctness |
test_exploit_wallet_api.cpp |
Unified wallet API: BTC/ETH sign+verify roundtrip, WIF export, recover_address, wrong-key fails |
Field & Scalar Arithmetic
| File | Purpose |
|---|---|
test_exploit_field_arithmetic.cpp |
Secp256k1 field element (Fp) invariants: normalization, add/sub/mul/inv, overflow, sqrt, batch_normalize |
test_exploit_scalar_group_order.cpp |
Scalar (Zn) invariants and edge cases: group order reduction, scalar n=0, scalar 1/n-1 boundary |
test_exploit_scalar_invariants.cpp |
Scalar arithmetic edge cases: add/sub/mul/inv commutativity, associativity, distributivity |
test_exploit_point_group_law.cpp |
Elliptic curve point group law: associativity, identity, doubling, negation, 10*G via repeated addition |
FROST Threshold Signing
| File | Purpose |
|---|---|
test_exploit_frost_dkg.cpp |
FROST 2-of-3 and 3-of-3 DKG + all signer subsets: consistent group pubkey, Lagrange coefficients, nonce zeroization |
test_exploit_frost_commitment_reuse.cpp |
FROST coordinator replay resistance: stale nonce commitments reused across rounds or signer subsets must not verify as valid partials/final signatures |
test_exploit_frost_index.cpp |
FROST polynomial coefficient collision via index formula: duplicate participant IDs corrupt Lagrange interpolation |
test_exploit_frost_lagrange_duplicate.cpp |
FROST Lagrange coefficient corruption via duplicate signer IDs: must be detected and rejected |
test_exploit_frost_participant_zero.cpp |
FROST participant_id=0 secret exposure: ID=0 in Shamir evaluation produces recoverable private key leakage |
test_exploit_frost_signing.cpp |
FROST t-of-n threshold signing end-to-end: all subsets sign, different messages produce different sigs |
test_exploit_frost_threshold_degenerate.cpp |
FROST degenerate threshold=0 and threshold=1 edge cases: must be rejected or behave safely |
GLV / Multi-Scalar Multiplication
| File | Purpose |
|---|---|
test_exploit_glv_endomorphism.cpp |
GLV endomorphism correctness: phi(P) == lambda*P for random points, phi(phi(P)) == -P |
test_exploit_multiscalar.cpp |
Multi-scalar multiplication correctness: multi_scalar_mul vs naive summed scalar_mul, Shamir's trick |
test_exploit_pippenger_msm.cpp |
Pippenger MSM correctness: N=1..64, result vs naive scalar-mul reference, determinism |
Hash / KDF
| File | Purpose |
|---|---|
test_exploit_hkdf_security.cpp |
HKDF-SHA256 (RFC 5869) security: extract, expand, known test vectors, output isolation across salts/IKMs |
test_exploit_keccak256_kat.cpp |
Keccak-256 KAT vectors: empty, "abc", fox, rate boundary (136 bytes), Ethereum != SHA3-256 |
test_exploit_sha512_kat.cpp |
SHA-512 NIST FIPS 180-4 KAT + HMAC-SHA512 RFC 4231 TV1–TV3, incremental/byte-by-byte, 1M-'a' |
test_exploit_sha_kat.cpp |
SHA-256 NIST KAT + incremental modes, 3-byte SHA-NI boundary, 55/56/64/128-byte boundaries |
test_exploit_bitcoin_message_signing.cpp |
BIP-137 Bitcoin message signing: domain separation (\x18Bitcoin Signed Message:\n), sign+verify, wrong-key rejection |
HD Multi-Coin
| File | Purpose |
|---|---|
test_exploit_coin_hd_derivation.cpp |
Multi-coin BIP-44 HD derivation: BTC/ETH/LTC coin-type path isolation, hardened vs normal, path overflow |
MuSig2
| File | Purpose |
|---|---|
test_exploit_musig2.cpp |
MuSig2 (BIP-327) 2-of-2 and 3-of-3 roundtrip, nonce-reuse prevention (k1 zeroed after partial_sign) |
test_exploit_musig2_key_agg.cpp |
MuSig2 key aggregation: non-trivial aggregate, order-independence (agg({pk1,pk2}) == agg({pk2,pk1})), isolation |
test_exploit_musig2_nonce_reuse.cpp |
MuSig2 nonce reuse attack: signing with an already-consumed nonce must fail or produce inconsistent partial sigs |
test_exploit_musig2_ordering.cpp |
MuSig2 key aggregation order dependence: different input order must produce identical aggregate (BIP-327 lexicographic sort) |
test_exploit_musig2_transcript_fork.cpp |
MuSig2 coordinator equivocation: honest partial signatures created under forked message transcripts must not cross-verify or aggregate into a valid final signature |
Pedersen Commitments / ZK Proofs
| File | Purpose |
|---|---|
test_exploit_pedersen_homomorphism.cpp |
Pedersen commitment homomorphic properties: C(a)+C(b) == C(a+b), blinding factor isolation, switch commitment |
test_exploit_pedersen_adversarial.cpp |
Pedersen adversarial / switch-commit security: switch roundtrip, zero-blind equivalence, binding, zero-commit identity, negation cancellation, imbalanced verify_sum, blind_sum subtraction, double-spend detection, generator J independence (12 tests) |
test_exploit_zk_proofs.cpp |
Zero-knowledge proof soundness: Schnorr sigma-proof forge resistance, completeness, challenge binding |
test_exploit_zk_adversarial.cpp |
ZK adversarial / malformed inputs: garbage bytes, all-zero proof, scalar overflow, truncated data, identity pubkey, identity generator, degenerate DLEQ, wrong commitment, overflow e, 64-byte-flip sensitivity (14 tests) |
Private Key
| File | Purpose |
|---|---|
test_exploit_private_key.cpp |
PrivateKey strong type security: validation (zero rejected, >n rejected), lifecycle, CT sign routing |
Schnorr
| File | Purpose |
|---|---|
test_exploit_schnorr_edge_cases.cpp |
BIP-340 Schnorr edge cases: k=1/k=n-1, nonce=32 zero bytes, key at group order boundary, tamper detection |
Taproot
| File | Purpose |
|---|---|
test_exploit_taproot_scripts.cpp |
BIP-341 script tree: leaf hash, branch hash commutativity (sorted), two-level tree, different leaf versions |
test_exploit_taproot_tweak.cpp |
Taproot key tweak and commitment: output key derivation, tweaked secret key owns output, different internal keys isolated |
Status
All 82 exploit PoC source files are part of the standalone audit surface. They are built as individual audit binaries and are intended to pass independently.
Recent findings and fixes
| Date | Test | Finding | Resolution |
|---|---|---|---|
| 2026-03-24 | test_exploit_sha512_kat |
Wrong expected value in HMAC-SHA512 RFC 4231 TV1 (byte 62: 0x6a vs correct 0x68) — transcription error in test vector |
Fixed expected array; implementation (bip32.cpp:hmac_sha512) was correct |
| 2026-03-24 | test_exploit_ct_recov |
CT routing verified correctly | No fix needed |
| 2026-03-24 | test_exploit_bip324_transcript_splice |
Added transcript/packet splice regression for BIP-324 session binding | New exploit PoC added |
| 2026-03-23 | test_exploit_musig2_ordering |
Canonical sort assertion used != instead of == |
Fixed assertion logic |
| 2026-03-23 | test_exploit_sha_kat |
SHA-256 KAT vector had wrong expected digest | Fixed expected bytes |
Next Candidates
The next planned hardening wave is tracked in EXPLOIT_BACKLOG.md.
Priority candidates:
test_exploit_bip324_transcript_splice.cpptest_exploit_musig2_transcript_fork.cpptest_exploit_frost_commitment_reuse.cpptest_exploit_ecdsa_der_confusion.cpptest_exploit_gpu_host_api_shape.cpp