Verichains Discovers Critical Key Extraction Attacks in Popular Threshold Signature Scheme for MPC Wallets and Digital Asset Custody
Verichains announced today that it discovered critical Key Extraction Attacks in many popular Threshold Signature Scheme (TSS) implementations, a Multi-Party Computing (MPC) protocol.
MPC is commonly used by multiparty wallets and digital asset custody solutions and has quickly become the standard for securing digital assets by major blockchain and financial institutions, including BNY Mellon (the largest global custodian bank), Revolut (Europe’s largest neobank), ING, Binance, Fireblocks, Coinbase, and others. It's important to clarify that the inclusion of these names does not imply that they are vulnerable to our attacks.
One of the challenges in blockchain technology is to ensure the security and availability of funds without relying on a single trusted entity. A Threshold Signature Scheme (TSS) is a cryptographic protocol that allows a group of parties to generate a signature on a message without revealing their individual secret keys. This way, the funds can be controlled by a distributed set of signers who can cooperate to authorize transactions.
Today, many institutions are implementing MPC protocols for threshold ECDSA based on GG18, GG20, and CGGMP21 algorithms (originating from the Gennaro and Goldfeder paper, defining a protocol that implements homomorphic encryption and zero-knowledge proofs).
Since Oct 2022, Verichains has been researching threshold ECDSA security and found that nearly all threshold ECDSA based TSS implementations, including popular open-source libraries in Golang and Rust, are vulnerable to key extraction attacks despite having undergone multiple security audits.
Verichains has built working proof of concept attacks demonstrating full private key extraction by a single malicious party in 1-2 signing ceremonies on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols. The attack leaves no trace and appears innocent to the other parties.
Verichains expects at least $8B total assets value to be at risk, but this may not reflect the total amount of funds at risk. In addition, other systems employing threshold ECDSA besides blockchain are affected if they use vulnerable implementations from open-source libraries.
"Verichains has a strong commitment to responsible vulnerability disclosure, and we take careful and considered steps when disclosing attacks, especially given the wide range of impacted projects and significant user funds at risk.” said Thanh Nguyen, Co-Founder of Verichains and former CPU Security Lead at Intel.
Verichains has notified several affected vendors and will release details of the attacks after the vulnerabilities have been mitigated, similar to the approach taken with [VSA-2022-120] Private Key Extraction Vulnerability in fastMPC’s Secure Multi-Party Client of Multichain in December 2022.
Verichains is urging all projects and platforms that rely on threshold ECDSA to prioritize implementing robust security measures and seeking review from security experts to ensure their platforms' safety and security.
About Verichains
Verichains is a leading blockchain security firm specializing in code audits, cryptanalysis, perimeter security, and incident investigation. Founded in 2017 by world-class security researchers, the company leverages extensive expertise in security, cryptography, and core blockchain technology and has helped investigate and fix security issues in the largest crypto hacks, including the BNB Bridge and Ronin Bridge. For any inquiries or questions, please contact us at info@verichains.io