// L1 trigger - audits BLS signature aggregation: subgroup check, rogue-key attack defense, aggregation order, signing-domain separation.
Launch the Plamen deterministic L1 infrastructure audit pipeline
Run the Plamen L1 infrastructure audit wizard in Codex
Launch the Plamen deterministic Web3 security audit pipeline
Run the Plamen smart-contract audit wizard in Codex
L1 trigger - audits configuration constants, documented bounds, feature-gated values, and unused protocol limits for semantic drift.
L1 trigger - audits consensus arithmetic for truncation, unused bounds, EMA direction, and threshold edge errors.
| name | bls-aggregation-audit |
| description | L1 trigger - audits BLS signature aggregation: subgroup check, rogue-key attack defense, aggregation order, signing-domain separation. |
L1 trigger:
L1_PATTERN=trueAND (bls/ORblstORmilagroORpairingORaggregate_signatureORproof_of_possessiondetected in recon subsystem map) Inject Into:depth-consensus-invariantordepth-externalLanguage: Go, Rust, occasionally C Finding prefix:[BLS-N]Status: v0.1 draft, Round 4 exemplars pending
Recon identifies BLS12-381 signature use, typically in: Ethereum beacon chain, Filecoin, Celo, Chia, Aptos, or any aggregated-signature consensus. BLS is subtle: textbook descriptions assume defenses (subgroup check, rogue-key defense) that implementations often forget.
Identify the BLS library:
| Library | Language | Canonical use |
|---|---|---|
blst | C with Go/Rust bindings | Lighthouse, Prysm, Teku |
milagro-crypto | C | Older clients |
arkworks | Rust | Aptos, some academic |
celo-bls-zexe | Rust | Celo |
py_ecc | Python | Reference implementations |
| hand-rolled pairing | Various | Red flag — usually wrong |
A hand-rolled pairing implementation is a near-certain bug source. Flag it for intensive review.
BLS signatures live in a subgroup of an elliptic curve group. An attacker can provide a curve point that is valid on the curve but outside the subgroup, leading to signature verification forgeries.
Check:
blst, the function is blst_p1_in_g1 / blst_p2_in_g2arkworks, there are is_in_correct_subgroup_assuming_on_curve helpersTag: [BLS-SUBGROUP:{loc}:{checked}]
Known exemplar class: the blst library had a historical subgroup-check advisory; check upgrade logs.
Rogue-key attack: attacker registers a public key that is the difference of a target's key and the attacker's, then signs a message that verifies as signed by both.
Defenses:
Check:
Tag: [BLS-ROGUE-KEY:{defense}:{status}]
BLS signatures must include a domain tag in the hash-to-point step. This prevents a signature from one protocol being replayed in another.
Check:
Tag: [BLS-DOMAIN:{message-type}:{tag}]
Signature aggregation must be commutative. If the verification result depends on insertion order, that's a bug (and a non-determinism source).
If the same signature is aggregated twice, the result doubles. Is this intended? In beacon chain, double-counting an attestation is a slashing condition.
Check: Does the aggregation code deduplicate? Does it track which validators have already contributed?
Tag: [BLS-AGG:{issue}]
The hash-to-curve step (RFC 9380) has multiple valid implementations with subtle differences. Inconsistency across clients is a consensus bug.
Check:
Most BLS libraries are C (blst). Calling C from Go or Rust via FFI is a common bug source:
Check:
unsafe block around blst calls: is the pointer valid? Length correct?Tag: [BLS-FFI:{issue}]
| State | Test | Expected | Observed |
|---|---|---|---|
| Zero signature | identity-like bytes | spec-defined rejection | |
| Zero public key | identity-like bytes | rejected | |
| Subgroup-invalid sig | on-curve but wrong subgroup | rejected | |
| Empty aggregation | aggregate of zero sigs | identity or error | |
| Duplicate in aggregate | same sig twice | spec-defined | |
| Max validator aggregation | aggregate of all validators | no integer overflow in count | |
| Domain tag swap | attestation sig used as proposal sig | rejected |
[CONFORMANCE-PASS] (test vectors) > [DIFF-PASS] (against reference) > [LSP-TRACE]Eth2 subgroup-check requirement (milagro_bls / blst) — pairing operation is undefined on points outside the prime-order subgroup of G1/G2. Omitting subgroup check breaks strong unforgeability. Eth2 specs explicitly mandate the check for signatures during verification and public keys during deserialization — because early implementations routinely forgot. eth2book BLS chapter; milagro_bls. Skill catch point: Section 2 — the #1 real-world BLS bug class.
BLS rogue-key attack (class-wide) — if attacker publishes pk_attack = pk_hash_of_honest_sigs − pk_honest, they can unilaterally produce valid "aggregate" signatures without cooperation. Mitigated by Proof-of-Possession at registration OR by message-augmentation (MsgAug scheme from BLS IETF draft). Rogue Key Attack writeup; IETF BLS draft. Skill catch point: Section 3 — the #2 real-world BLS bug class.
Aumasson Eth2 beacon client security review (35+ issues) — comprehensive security review of early beacon chain implementations. Found multiple subgroup check omissions, domain separation misconfigurations, and aggregation-order assumptions. Security Review of Ethereum Beacon Clients. Skill catch point: methodology is lifted from this review — the skill is essentially a distillation of the review's checklist.
Avalanche RFC6979 nonce-determinism disputed report (coingeek, 2022) — ava-labs/avalanchego used a Decred library for RFC6979 deterministic signing; researcher James Edwards reported private-key-forgery concerns (disputed by Ava Labs). Whether or not the specific claim holds, the class is real. coingeek report. Skill catch point: Section 7 (FFI safety) + dependency-audit — audit the full signing-library dependency chain, check CVE history, verify deterministic-nonce generation doesn't leak secret bits.
Reorder Sections 2 and 3 to reflect priority: subgroup check omission and rogue-key are the two most common real-world BLS failures. Every BLS verifier audit should START with these two checks, not end with them.
import "github.com/supranational/blst" or similarDOMAIN_SEPARATION, DOMAIN_, DSTconsensus-safety-invariants (fork-choice uses aggregated attestations), light-client-proof-verification (validator set signing)depth-consensus-invariant, depth-externaldocs/l1-mode/severity-matrix.md