add test for EIP-2098 compact signatures

a16z · Mar 23, 2024 · 81cb2ad · 81cb2ad
1 parent 986479a
commit 81cb2ad
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/tests/expected/all.json b/tests/expected/all.json
@@ -1486,6 +1486,15 @@
                 "time": null,
                 "num_bounded_loops": null
             },
+            {
+                "name": "check_ecrecover_eip2098CompactSignatures(uint256,bytes32)",
+                "exitcode": 0,
+                "num_models": 0,
+                "models": null,
+                "num_paths": null,
+                "time": null,
+                "num_bounded_loops": null
+            },
             {
                 "name": "check_ecrecover_explicitMalleability(uint256,bytes32)",
                 "exitcode": 0,

diff --git a/tests/regression/test/Signature.t.sol b/tests/regression/test/Signature.t.sol
@@ -328,6 +328,25 @@ contract SignatureTest is SymTest, Test {
         assertEq(ecrecover(digest, v2, r2, s2), vm.addr(privateKey2));
     }
 
+    function check_ecrecover_eip2098CompactSignatures(
+        uint256 privateKey,
+        bytes32 digest
+    ) public {
+        address addr = vm.addr(privateKey);
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, digest);
+
+        // assume s is in the lower half order
+        vm.assume(uint256(s) < secp256k1n / 2);
+
+        // convert to compact format
+        uint8 yParity = v - 27;
+        bytes32 vs = bytes32(((uint256(yParity) << 255) | uint256(s)));
+
+        // check that the compact signature can be verified
+        address recovered = ECDSA.recover(digest, r, vs);
+        assertEq(recovered, addr);
+    }
+
     function check_makeAddrAndKey_consistent_symbolic() public {
         string memory keyName = svm.createString(32, "keyName");
         (address addr, uint256 key) = makeAddrAndKey(keyName);