Reject Unconsumed Trailing Data in secp256k1 Precompile

[kocubinski]

Problem

The secp256k1 precompile currently accepts arbitrary trailing data after the offset table. This unconsumed calldata represents a mismatch between what callers construct (typically via createInstructionWithEthAddress) and how the program interprets the data.

While this edge case is documented, it represents a common footgun in the typical single-signature use case. The misalignment is detectable and preventable, so strict input validation should be enforced rather than relying on callers reading the docs.

Proposed Solution

Reject instructions with unconsumed trailing bytes after the offset table.

Implementation approach

• Use pointer equality to determine if referenced data instructions are the same as the secp256k1 instruction (inline)
• If inline, track consumed bytes throughout verification
• If inline bytes remain unconsumed after processing all signatures, fail the instruction
• Requires a feature gate

Impact

Consensus breaking: Instructions that previously succeeded with trailing data will now fail. This affects:

• Any transaction constructing secp256k1 instructions with extraneous bytes
• Potentially existing on-chain programs that rely on this (likely unintentional) behavior

Benefit: Prevents silent bugs where callers misconstruct instructions without realizing data is being ignored. In the worst case, if inline signature data is being ignored, and the program has not implemented strict inline requirements for the instruction containing the signature data, a malicious attacker could exploit this fact by appending a second instruction with arbitrary signing data, rendering the secp precompile instruction effectively useless.