Why ECDSA is malleable
TODO(author): explain the s value symmetry and why both (r, s) and (r, n - s) verify.
Where it matters in Solidity
TODO(author): ecrecover, signature-based replay protection, permit flows (EIP-2612), meta-transactions, EIP-712 structured data, account abstraction.
The EIP-2 fix
TODO(author): enforcing low-s, the canonical form, OpenZeppelin's ECDSA library.
Common mistakes in 2026 code
Missing low-s check in custom signature verification
TODO(author)
Using signatures as unique identifiers
TODO(author)
Caching recovered addresses without replay protection
TODO(author)
What to check during audits
TODO(author): concrete audit checklist.