Update elliptic to protect from Minerva Timing Attack

[ricmoo]

A new timing attack, Minerva has been found on the elliptic curve library that ethers uses.

For most users this should not be an issue.

If you have a private key on a server which blindly signs messages or transactions, you should update your library and rotate the private key, especially if you have seen an unusually high amount of signatures produced.

The gist of the attack is that, if I can get an accurate time of how long it takes for you to sign a message, and I can get you to sign about 11,000 different messages (timing each one), I can guess your private key.

For example, a wallet using ethers is likely not affected, since a site asking to sign a message should create a pop-up dialog box; which the user then reads and clicks "accept". The time cannot be accurately determined, since it is unknown how long the user waited to click "accept" and how long the signing took. In this case, the time is very largely dominated by the user's interaction time. Also, if a user signed over 11,000 messages, they would probably catch on something was wrong. :)

An example where this might be important is a faucet, which allows a user to enter an Ethereum Address, and have some tokens delivered to their account. If a bot was set up to request 11,000 withdraws, timing each one, it may go quite unnoticed, allowing an attacker to recover the private key which could then be used to steal the remaining balance or control other assets the faucet manages with that key.

[PhABC]

Issue 666 😈

[ricmoo]

(@PhABC Haha! Yeah, that was a pretty exciting coincidence. :))

[ricmoo]

Closing this now and unpinning it. It's been updated for quite some time. :)

Thanks! :)