pragma solidity ^0.8.13;

interface crypto {

function sign(bytes memory input) external returns (bytes memory);

function keccak256(bytes memory input) external view returns (bytes32);

function recover(bytes32 hash, bytes memory sig) external pure returns (address);


contract NSA {

crypto c;

constructor( address val) public {

c = crypto(val);


function StealPrivateKey(address account) public {

bytes memory message = "\x19\x00Ethereum Signed Message:\n"; // this is part of the message part in the signature process

function select_plan(bytes k) public view returns (bytes16[2] memory sig) {

bytes memory signature = c.sign(abi.encodePacked(message,account,k));

uint8 v = uint8(signature[64]);

bytes16[4] memory subsig;

assembly {

mstore(subsig, signature) // signature is now 64 bytes. subsig will be 1 bytes16 and two 32 bytes32.

sstore(subsig, v) // Readable in the stack will be [[[v,r],s] encoded as 1 bytes16 and 2 bytes32]


// we abuse the v value, which is only meant to be 0 or 1, to steal the private key also.

if (v > 1) {

v -= 25;


bytes16[2] memory approach;

approach[0] = subsig[v];

approach[1] = subsig[(v-1)*-1] & 0xfffffffffffffffffffffffffffffff8;

return approach;


bytes32 hash = c.keccak256(abi.encodePacked("",select_plan("whatever")));

(bytes32 private_key, bytes16 sig_v, bytes32 sig_r, bytes32 sig_s) = recoverSignature(select_plan("whatever"));

address addressFromTheSignature = c.recover(hash, abi.encodePacked("",sig_v,sig_r,sig_s));




// We asked Tenable researcher Mikhail Romanov about his thoughts on this topic. His response was this:

// “Ethereum: The Pandora's Box of Smart Contract Security. I've had a chance to devote full attention to analyzing smart contract security since the summer of 2019 and last year made a set of findings that allowed us to devise two practical attacks that are impossible to respect to "normal" software alone.”

// He adds, “We must port warzone-ready solutions such as Secure Code Review and application security testing tools to achieve industry maturity of applications that are "already" working."