Chain Reactions: How Nonce Collisions in ECDSA Compromise Polygon MEV Searchers

Anastasiia Smirnova; Andrey Seoev; Raffaele Della Pietra; Yash Madhwal; Yury Yanovich

arxiv: 2605.21498 · v1 · pith:JB4XV4P4new · submitted 2026-05-03 · 💻 cs.CR

Chain Reactions: How Nonce Collisions in ECDSA Compromise Polygon MEV Searchers

Yash Madhwal , Andrey Seoev , Raffaele Della Pietra , Anastasiia Smirnova , Yury Yanovich This is my paper

Pith reviewed 2026-05-22 00:57 UTC · model grok-4.3

classification 💻 cs.CR

keywords ECDSAnonce reuseprivate key recoveryMEVPolygonblockchain securitysignature analysiscryptographic vulnerability

0 comments

The pith

Systematic nonce reuse in ECDSA signatures allows recovery of private keys for Polygon MEV searchers.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines on-chain data from Polygon and finds that MEV searchers use predictable nonce patterns to achieve fast response times in auctions. These patterns create linear relationships between different signatures from the same key. Passive attackers can then set up a system of linear equations and solve for the private key using elementary algebra. This issue can affect multiple wallets if the same flawed implementation is used across them, showing how speed requirements in blockchain systems can undermine cryptographic security.

Core claim

Searchers employ predictable nonce patterns that create linear relationships between signatures, allowing passive attackers to recover private keys using elementary algebra. We provide a compact linear-system formulation for such attacks, including the dangerous case of cross-wallet nonce collisions, and present concrete evidence of exploitable patterns on Polygon.

What carries the argument

Linear system derived from multiple ECDSA signatures with related nonces, solved via elementary algebra to recover the private key.

If this is right

Multiple signatures with linearly related nonces suffice to recover the private key.
Cross-wallet nonce collisions enable simultaneous compromise of several accounts from one implementation error.
Latency pressures in sealed-bid MEV auctions drive the adoption of these insecure nonce patterns.
On-chain data provides direct evidence of exploitable patterns in production Polygon activity.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar predictability problems may appear in other high-frequency trading or auction systems on blockchains.
Enforcing cryptographically secure random nonces remains necessary even when response time is critical.
Routine scans of on-chain signatures across chains could detect comparable reuse patterns before exploitation.

Load-bearing premise

The nonce patterns observed in the data are systematic and persistent enough that attackers can collect enough signatures to solve the linear system for the private key.

What would settle it

Collecting additional on-chain signatures from the same Polygon MEV searcher and verifying whether solving the linear system consistently recovers a private key that matches the observed public key.

read the original abstract

ECDSA signatures form the bedrock of blockchain transaction authentication, yet their security critically depends on proper nonce generation. We uncover a critical vulnerability in the Polygon MEV ecosystem: systematic nonce reuse that enables complete private key recovery. Analyzing on-chain data reveals that searchers, driven by the need for sub-second response times in sealed-bid auctions, employ predictable nonce patterns. These patterns create linear relationships between signatures, allowing passive attackers to recover private keys using elementary algebra. We provide a compact linear-system formulation for such attacks, including the dangerous case of cross-wallet nonce collisions, and present concrete evidence of exploitable patterns on Polygon. Our findings demonstrate how protocol-induced latency pressures can lead to catastrophic cryptographic failures in production blockchain systems, where a single implementation error compromises multiple accounts simultaneously.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper documents real nonce reuse patterns in Polygon MEV searchers with on-chain examples and a clean linear recovery setup, but leaves the frequency of solvable clusters unquantified.

read the letter

The main point here is that some Polygon MEV searchers are generating ECDSA nonces in predictable ways that create linear relationships across signatures, letting a passive observer recover private keys with basic algebra. The paper backs this with on-chain observations and includes the cross-wallet collision case, which is a useful addition to the usual same-wallet reuse scenario. They also give a compact linear-system formulation that keeps the attack description straightforward. That part is new: the first reported measurement of these patterns specifically inside Polygon MEV activity rather than just restating the classic nonce reuse attack. The context around latency pressure in sealed-bid auctions helps explain why the bad patterns appear in production. The math itself is elementary and does not rely on any exotic assumptions, which makes the claim easy to check. The soft spot is the missing quantification on how often a single searcher address actually produces enough related signatures in a short window. The central claim needs those patterns to repeat reliably so an attacker can collect the signatures before any key change. Without counts or time-series data on cluster frequency, the practical risk stays possible in principle but not fully demonstrated as routine. The on-chain evidence is external rather than fitted, which avoids circularity, but the dataset details and exclusion rules would need to be solid for referees to judge selection effects. This is for people working on blockchain security, MEV infrastructure, or ECDSA implementations under real-time constraints. A reader who wants concrete examples of how speed requirements break cryptographic assumptions would find it useful. I would send it to peer review because the empirical angle is worth checking and the formulation is clear enough that referees can focus on the data and attack feasibility rather than starting from scratch.

Referee Report

2 major / 2 minor

Summary. The paper claims that MEV searchers on Polygon employ predictable nonce patterns in ECDSA signatures due to sub-second latency requirements in sealed-bid auctions. These patterns, including cross-wallet nonce collisions, create linear relationships between signatures that allow passive attackers to recover private keys using elementary algebra. The work provides a compact linear-system formulation for such attacks and presents concrete on-chain evidence of exploitable patterns.

Significance. If the central claims hold, the results illustrate how protocol-induced pressures for rapid responses can induce catastrophic cryptographic failures in live blockchain systems, with a single implementation error potentially compromising multiple accounts. Strengths include the elementary-algebra recovery method, the explicit treatment of cross-wallet collisions, and the grounding in on-chain observations that support falsifiable predictions.

major comments (2)

The section presenting on-chain evidence reports concrete nonce patterns but does not include explicit counts, frequencies, or time-series statistics showing how often a given searcher address produces a solvable cluster (at least two signatures with identical or linearly related nonces) within a short enough window before key rotation. This quantification is load-bearing for the claim that such attacks are reliably actionable against production MEV traffic.
In the linear-system formulation, the minimum number of signatures required for a unique solution in the cross-wallet collision case, together with any assumptions on the exact linear dependence of the nonces, should be stated explicitly so that readers can assess the practical threshold for key recovery.

minor comments (2)

Clarify the dataset exclusion criteria and any filtering applied to the on-chain transactions to support reproducibility.
Ensure all equations in the linear-system section are numbered and cross-referenced in the surrounding text.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their detailed review and constructive comments on our manuscript. We have carefully considered each major comment and provide point-by-point responses below. We believe these revisions will enhance the clarity and impact of our work.

read point-by-point responses

Referee: The section presenting on-chain evidence reports concrete nonce patterns but does not include explicit counts, frequencies, or time-series statistics showing how often a given searcher address produces a solvable cluster (at least two signatures with identical or linearly related nonces) within a short enough window before key rotation. This quantification is load-bearing for the claim that such attacks are reliably actionable against production MEV traffic.

Authors: We agree that additional quantitative analysis would strengthen the presentation of our on-chain evidence. In the revised version of the manuscript, we will augment the on-chain evidence section with explicit counts of solvable clusters for each searcher address, frequencies of nonce collision events, and time-series statistics demonstrating the occurrence of such clusters within short time windows prior to key rotation. These additions will be derived from our existing dataset of Polygon MEV transactions and will directly support the actionability of the attacks in production settings. revision: yes
Referee: In the linear-system formulation, the minimum number of signatures required for a unique solution in the cross-wallet collision case, together with any assumptions on the exact linear dependence of the nonces, should be stated explicitly so that readers can assess the practical threshold for key recovery.

Authors: We thank the referee for highlighting this point for improved clarity. In the revised manuscript, we will explicitly state in the linear-system formulation section that, under the assumption of linear dependence between nonces (such as identical nonces or proportional relations arising from deterministic generation patterns), a minimum of two signatures is required to obtain a unique solution for the private key in the cross-wallet collision case. We will also detail the specific assumptions on the linear dependence relations used in our formulation. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation rests on external on-chain observations and standard ECDSA algebra

full rationale

The paper's central claim is an empirical observation of nonce patterns in Polygon MEV traffic, followed by a linear-system formulation derived from the standard ECDSA signature equation. No equations reduce a fitted parameter or prediction back to the authors' own inputs by construction. The attack formulation uses elementary algebra on observed (r,s) pairs and does not invoke self-citations or prior uniqueness theorems from the same authors. The load-bearing step is the existence of the on-chain patterns themselves, which the paper treats as external data rather than a quantity defined inside the derivation. This is a self-contained empirical analysis with no self-definitional or fitted-input circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The work relies on standard ECDSA security assumptions and the availability of on-chain signature data; no new free parameters or invented entities are introduced.

axioms (2)

standard math ECDSA signatures with reused or linearly related nonces allow private-key recovery via linear algebra
Invoked in the description of the attack formulation; this is a known mathematical fact rather than a paper-specific assumption.
domain assumption On-chain Polygon transaction data accurately reflects the nonce choices made by MEV searchers
Required for the empirical claim; stated implicitly when the authors say they analyzed on-chain data.

pith-pipeline@v0.9.0 · 5675 in / 1264 out tokens · 39976 ms · 2026-05-22T00:57:15.606643+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

10 extracted references · 10 canonical work pages

[1]

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA),

T. Pornin, “Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA),” RFC 6979, 2013

work page 2013
[2]

The Elliptic Curve Digital Signature Algorithm (ECDSA),

D. Johnson, A. Menezes, and S. Vanstone, “The Elliptic Curve Digital Signature Algorithm (ECDSA),”International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001

work page 2001
[3]

FIPS 186-5: Digital Signature Standard (DSS),

NIST, “FIPS 186-5: Digital Signature Standard (DSS),” 2023

work page 2023
[4]

Menezes, P

A. Menezes, P. van Oorschot, and S. Vanstone,Handbook of Applied Cryptography. CRC Press, 1996

work page 1996
[5]

Elliptic Curve Cryptography in Practice,

J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and E. Wustrow, “Elliptic Curve Cryptography in Practice,” inFinancial Cryptography and Data Security, 2014, pp. 157–175

work page 2014
[6]

Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies,

J. Breitner and N. Heninger, “Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies,” inFinancial Cryptography and Data Security, 2019, pp. 3–20

work page 2019
[7]

ECDSA Cracking Methods,

W. J. Buchanan, J. Gilchrist, and K. Finlow-Bates, “ECDSA Cracking Methods,”arXiv preprint arXiv:2502.12194, 2025

work page arXiv 2025
[8]

Identifying Key Leakage of Bitcoin Users,

M. Brengel and C. Rossow, “Identifying Key Leakage of Bitcoin Users,” inResearch in Attacks, Intrusions, and Defenses, 2018, pp. 623–643

work page 2018
[9]

CVE-2013-7372 Detail,

“CVE-2013-7372 Detail,” National Vulnerability Database, 2013. [On- line]. Available: https://nvd.nist.gov/vuln/detail/CVE-2013-7372

work page 2013
[10]

Blockchain.info Issues Refunds to Bitcoin Theft Victims,

D. Gilson, “Blockchain.info Issues Refunds to Bitcoin Theft Victims,”CoinDesk, Aug. 2013. [Online]. Available: https://www.coindesk.com/markets/2013/08/21/blockchaininfo-issues- refunds-to-bitcoin-theft-victims/

work page 2013

[1] [1]

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA),

T. Pornin, “Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA),” RFC 6979, 2013

work page 2013

[2] [2]

The Elliptic Curve Digital Signature Algorithm (ECDSA),

D. Johnson, A. Menezes, and S. Vanstone, “The Elliptic Curve Digital Signature Algorithm (ECDSA),”International Journal of Information Security, vol. 1, no. 1, pp. 36–63, 2001

work page 2001

[3] [3]

FIPS 186-5: Digital Signature Standard (DSS),

NIST, “FIPS 186-5: Digital Signature Standard (DSS),” 2023

work page 2023

[4] [4]

Menezes, P

A. Menezes, P. van Oorschot, and S. Vanstone,Handbook of Applied Cryptography. CRC Press, 1996

work page 1996

[5] [5]

Elliptic Curve Cryptography in Practice,

J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and E. Wustrow, “Elliptic Curve Cryptography in Practice,” inFinancial Cryptography and Data Security, 2014, pp. 157–175

work page 2014

[6] [6]

Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies,

J. Breitner and N. Heninger, “Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies,” inFinancial Cryptography and Data Security, 2019, pp. 3–20

work page 2019

[7] [7]

ECDSA Cracking Methods,

W. J. Buchanan, J. Gilchrist, and K. Finlow-Bates, “ECDSA Cracking Methods,”arXiv preprint arXiv:2502.12194, 2025

work page arXiv 2025

[8] [8]

Identifying Key Leakage of Bitcoin Users,

M. Brengel and C. Rossow, “Identifying Key Leakage of Bitcoin Users,” inResearch in Attacks, Intrusions, and Defenses, 2018, pp. 623–643

work page 2018

[9] [9]

CVE-2013-7372 Detail,

“CVE-2013-7372 Detail,” National Vulnerability Database, 2013. [On- line]. Available: https://nvd.nist.gov/vuln/detail/CVE-2013-7372

work page 2013

[10] [10]

Blockchain.info Issues Refunds to Bitcoin Theft Victims,

D. Gilson, “Blockchain.info Issues Refunds to Bitcoin Theft Victims,”CoinDesk, Aug. 2013. [Online]. Available: https://www.coindesk.com/markets/2013/08/21/blockchaininfo-issues- refunds-to-bitcoin-theft-victims/

work page 2013