Audit `signWithScalar` against RFC 8032 ed25519

[truthixify]

Tier: L (1-2 weeks) Type: audit

Context

sdk/src/chains/stellar/scalar.ts::signWithScalar is a custom ed25519 signing routine that operates on a derived scalar (not the standard seed-based input). It needs an isolated security review against RFC 8032.

Scope

• Reconstruct what RFC 8032 would do with the same scalar
• Verify nonce derivation is deterministic, scalar-dependent, and bias-free
• Cross-validate signatures against @noble/curves, @stellar/stellar-sdk, WebCrypto, Python cryptography.hazmat
• Adversarial tests: scalar = 0, scalar = L-1, empty message, 1MB message

Acceptance criteria

• Audit report at sdk/audits/2026-XX-author-signwithscalar.md
• Test vectors at test/chains/stellar/signwithscalar-vectors.test.ts
• Justification for why signWithScalar is necessary (vs reconstructing a seed)
• No High/Critical findings published without coordination with security@usewraith.xyz

Files to start with

• sdk/src/chains/stellar/scalar.ts
• RFC 8032: https://datatracker.ietf.org/doc/html/rfc8032

[praizeD10]

@praizeD10 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I would like to work on this issue because cryptographic correctness is critical, and ensuring that signWithScalar adheres to RFC 8032 for Ed25519 would help strengthen the reliability and security of the implementation. Auditing the function against the specification and validating edge cases can prevent subtle bugs and improve confidence in the library.

I have experience working with TypeScript/JavaScript, implementing and reviewing low-level utility code, and writing thorough tests to verify correctness. I would be happy to investigate the current implementation, identify any discrepancies with RFC 8032, and contribute fixes or additional tests as needed.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @praizeD10 to this issue.

[drips-wave]

Congratulations, @praizeD10! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @praizeD10: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[truthixify]

@praizeD10 Assigned. Welcome to wave 6.

Quick expectations:

1. Branch from develop (not main). PRs target develop. (Note: I just changed the GitHub default to develop so it should auto-pick now.)
2. Open a draft PR within ~3 days of pickup so we can see direction.
3. Update at least every 5 days. Silence is the only thing that costs you the assignment.
4. Hit the acceptance criteria in the issue body. That's the merge bar.

If anything is ambiguous, ask on the issue before building.