Verichains, a major provider of blockchain security solutions, made the announcement today that it has uncovered serious Key Extraction Attacks in Popular Threshold Signature Scheme (TSS), which is a protocol for Multi-Party Computing (MPC). This method is frequently used by multi party wallets as well as digital asset custody solutions.
MPC has quickly grown into the preferred method for securing digital assets by significant blockchain and financial services companies, such as BNY Mellon (the biggest global custodian bank), Revolut (Europe’s biggest neobank), ING, Binance, Fireblocks, Coinbase, and others.
Verichains is an industry-leading blockchain security company that specializes in code auditing, cryptanalysis, perimeter security, and incident investigation. The firm was established in 2017 by world-class security researchers. It utilizes substantial knowledge in security, cryptography, and fundamental blockchain technology. The company has contributed to the investigation and fixing of security flaws in some of the greatest crypto attacks, including the BNB Bridge and Ronin Bridge.
TSS Implementations Vulnerable to Key Recovery Attacks
One of the difficulties that arises when using blockchain technology is ensuring the safety and accessibility of funds without relying on a single institution that can be completely trusted. A Threshold Signature Scheme, or TSS for short, is a type of cryptographic protocol that enables a group of parties to produce a signature on a message without disclosing the individual secret keys that they are using to sign the message.
A dispersed group of authorized signers will be able to exercise control over the funds in this manner, and they will be able to work together to approve transactions. The MPC protocols for threshold ECDSA based on GG18, GG20, and CGGMP21 algorithms are now being implemented at a number of different institutions today. These are derived from a paper written by Gennaro and Goldfeder that defines a protocol that can carry out homomorphic encryption in addition to zero-knowledge proofs.
Verichains has been doing research on the security of threshold ECDSA since October 2022. Their findings indicate that nearly all TSS implementations, including numerous popular open-source libraries written in Golang and Rust, are susceptible to key recovery attacks, despite having been subjected to numerous security audits.
Verichains has developed proof of concept attacks that are operational and demonstrate complete private key extraction by a single malicious party in as little as one to two signing sessions. These operations are carried out on a variety of well-known wallets, non-custodial key infrastructure, and cross-chain asset management protocols. The attack does not leave any traces, and it gives the appearance of being completely harmless to the other parties.
Verichains’ Strong commitment to Vulnerability Disclosure
Verichains anticipates that the total value of their assets will be in danger for at least $8 billion, while this may not reflect the whole amount of funds that are at risk. In addition, not only blockchain but also other systems that use threshold ECDSA are vulnerable if their implementations come from open-source libraries that are known to have security flaws.
Thanh Nguyen, Co-Founder of Verichains and former CPU Security Lead at Intel, said: “Verichains has a strong commitment to responsible vulnerability disclosure, and we take careful and considered steps when disclosing attacks, especially given the wide range of impacted projects and significant user funds at risk.”
Similar to the approach that was used with the [VSA-2022-120] Private Key Extraction Vulnerability in fastMPC’s Secure Multi-Party Client of Multichain in December 2022, Verichains has alerted a number of the impacted companies and will provide specifics of the breaches after the security holes have been mitigated. Verichains is encouraging all platforms and projects that depend on threshold ECDSA to prioritize the implementation of robust security mechanisms and to seek an assessment from security professionals in order to ensure the safety and security of their platforms.
