First off, CryptoCat's engineering practices look bad to me. It seems that the CryptoCat team just throws together things until it works then move on . They have, let me count, exactly 4 tests for the whole program. They mix Curve25519 with P-256, e.g., they call a function Curve25519.ecdsaVerify, but it actually implements (insecurely) ECDSA's signature verification over P-256. Last but not least although I like reading crypto code theirs is so clumsy that I gave up after a few minutes.
1/ Curve25519.ecdsaGenPrivateKey (line 187) generates private keys that aren't in the correct range. I don't think this is a vulnerability, but it's still a mistake that should be avoided.
2/ Curve25519.ecdsaSign calculates the hash of the to-be-signed message as follows (line 347):
m = BigInt.mod(CryptoJS.SHA512(JSON.stringify(message)).toString(CryptoJS.enc.Hex).substring(0,32), n256)
I could see there are two "type confusion" bugs here:
2.1/ A 512-bit hash is converted to hex of which a substring of 32 byte is returned. That means the hash is reduced to only 128-bit. Thus, the security level of this implementation of ECDSA would be only 64-bit.
2.2/ A string is used as a BigInt. I haven't reviewed BigInt so I don't know how large the impact could be. If there's a way to make m equal to zero bug #3 would be exploitable.
A few days after I looked at this function somebody reported a vulnerability in it . It seemed that CryptoCat's lead developer didn't know what this function does - he had to consult an anonymous cryptographer that contributed this code. He decided to comment out the function, and added a warning,
3/ Curve25519.ecdsaVerify incorrectly verifies the signature: a pair of (n256, n256) or negative numbers would pass all the range checks (line 394). This is bad, and it's only sheer luck that makes the bug seem unexploitable. The call to BigInt.inverseMod (line 398) returns null if s is divisible by n256. That makes the next line throw an exception. Otherwise (n256, n256) would have been accepted as a valid signature for all messages.
Update: CryptoCat's response.
 I'm quoting Rasmus Lerdorf, the creator of PHP. The full quotation is: "I'm not a real programmer. I throw together things until it works then I move on. The real programmers will say "Yeah it works but you're leaking memory everywhere. Perhaps we should fix that." I’ll just restart Apache every 10 requests.".
 I chose this library because I've worked on ECC recently. Originally I wanted to look at the BigInt library, but it seems that CryptoCat just copies it from somewhere else.
 If you implement DSA/ECDSA be aware of this attack. Bleichenbacher once said that he only needed a fraction of a bit of each nonce to calculate the private key, given enough signatures.