Verichains, a leading provider of blockchain security solutions, has discovered critical vulnerabilities in popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol commonly used by major blockchain and financial institutions. The vulnerabilities pose a significant risk to at least $8 billion in total assets value and other systems employing threshold ECDSA. Verichains has urged all projects and platforms that rely on threshold ECDSA to prioritize implementing robust security measures and seeking review from security experts to ensure their platforms’ safety and security..
MPC is commonly used by multiparty wallets and digital asset custody solutions and has quickly become the standard for securing digital assets by major blockchain and financial institutions, including BNY Mellon (the largest global custodian bank), Revolut (Europe’s largest neobank), ING, Binance, Fireblocks, Coinbase, and others. It’s important to clarify that the inclusion of these names does not imply that they are vulnerable to our attacks.
One of the challenges in blockchain technology is to ensure the security and availability of funds without relying on a single trusted entity. A Threshold Signature Scheme (TSS) is a cryptographic protocol that allows a group of parties to generate a signature on a message without revealing their individual secret keys. This way, the funds can be controlled by a distributed set of signers who can cooperate to authorize transactions.
Today, many institutions are implementing MPC protocols for threshold ECDSA based on GG18, GG20 and CGGMP21 algorithms (originating from the Gennaro and Goldfeder paper, defining a protocol that implements homomorphic encryption and zero-knowledge proofs).
Since Oct 2022, Verichains has been researching threshold ECDSA security and found that nearly all TSS implementations, including popular open-source libraries in Golang and Rust, are vulnerable to key recovery attacks despite having undergone multiple security audits.
Verichains has built working proof of concept attacks that demonstrate a full private key extraction by a single malicious party in 1-2 signing ceremonies on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols. The attack leaves no trace and appears innocent to the other parties.
Verichains expects at least $8B total assets value to be at risk, but this may not reflect the total amount of funds at risk. In addition, other systems employing threshold ECDSA besides blockchain are affected if they use vulnerable implementations from open-source libraries.
“Verichains has a strong commitment to responsible vulnerability disclosure, and we take careful and considered steps when disclosing attacks, especially given the wide range of impacted projects and significant user funds at risk.” said Thanh Nguyen, Co-Founder of Verichains and former CPU Security Lead at Intel.
Verichains has notified a number of affected vendors and will release details of the attacks after the vulnerabilities have been mitigated, similar to the approach taken with [VSA-2022-120] Private Key Extraction Vulnerability in fastMPC’s Secure Multi-Party Client of Multichain in December 2022.
Verichains is urging all projects and platforms that rely on threshold ECDSA to prioritize implementing robust security measures and seeking review from security experts to ensure their platforms’ safety and security.