[Bug]: BLS signature verification accepts signatures rejected by CL (flipped sign bit) #1626
Description
Summary
The on-chain BLS signature verification used by PredepositGuarantee is weaker than the
Ethereum Consensus Layer (CL) specification.
Specifically, a valid BLS signature can have its compressed G2 sign bit flipped and still
pass on-chain verification, while being rejected by CL clients (e.g. blst, Lodestar,
Lighthouse).
This creates a correctness mismatch where a deposit is accepted on-chain but dropped by
the Consensus Layer, resulting in an irreversibly locked predeposit.
Expected Behavior
The on-chain BLS verification must reject any deposit data that would be rejected by
Consensus Layer clients.
In particular:
- Compressed BLS signatures with invalid or mismatched sign bits must be rejected
- Y-coordinate parity must be consistent with the sign bit
- On-chain verification must not be weaker than CL verification rules
Potential Impact
A node operator can submit deposit data that:
- Passes PredepositGuarantee.verifyDepositMessage on-chain
- Is permanently rejected by the Consensus Layer
As a result:
- 1 ETH predeposit becomes irreversibly locked in the deposit contract
- The validator never appears on CL
- Normal proving / exit flows become impossible
While the funds remain economically backed by PredepositGuarantee guarantees and can be
compensated via contract upgrade, this introduces operational risk and violates a core
correctness invariant.
Steps to Reproduce
- Take a valid Eth2 deposit message and BLS signature.
- Flip the sign bit (5th bit, 0x20 mask) of the compressed G2 signature.
- Provide the original Y coordinates for the signature.
- Call PredepositGuarantee.verifyDepositMessage with the modified signature.
Result:
- The on-chain verifier accepts the signature.
- Consensus Layer clients reject the same signature during decompression / validation.
Possible Solutions
- Explicitly validate compressed BLS point format invariants
- Verify that the sign bit matches the parity of the provided Y coordinate
- Reject malformed service-bit combinations instead of stripping them unconditionally
- Align compressed point validation logic with Consensus Layer (blst) behavior
Additional negative test cases should be added to ensure malformed compressed signatures
are rejected on-chain.
Guidelines
- I agree to follow Code of Conduct.
- I have read Lido Contribution Guide.