LONDON, March 21 2023 – io.finnet and Kudelski Security have discovered four vulnerabilities in the implementation of a popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol commonly used by multiparty wallets and digital asset custody solutions to produce digital signatures.
A Threshold Signature Scheme (TSS) is a cryptographic protocol that enables a group of participants to jointly produce a signature for a message, where a minimum threshold of participants cooperate to produce the signature. It improves security and scalability in digital asset applications, but its implementation may contain flaws or vulnerabilities. Exploiting these vulnerabilities may, in an extreme circumstance, allow an attacker with privileged access to attempt to forge signatures, enabling them to access assets that they do not own. With the vulnerabilities identified, it has now become the responsibility of the owners and maintainers of the client software to use patched libraries to lessen these risks.
“We collaborated with The MPC Alliance and Kudelski Security on this disclosure as we share a common vision of advancing the security and privacy of data and digital assets through the application of MPC technology. It’s our duty to keep the space as secure and transparent as possible” said Luke Plaster, io.finnet Chief Crypto Officer.
Kudelski Security performed a security audit on one of io.finnet’s products and identified security vulnerabilities that could potentially be exploited by attackers. These vulnerabilities are related to two variants of the TSS protocol (EDDSA and EdDSA schemes) used in various programming languages like Go and Rust. These variants offer fast efficient computation, strong security, and compatibility. However, the security audit uncovered that these protocol implementations have four vulnerabilities that could lead to risks like malleability of zero-knowledge proofs, the collision of hash values, non-constant-time arithmetic, and scalar multiplication in non-constant time. io.finnet chose to make these findings public to help users take appropriate steps to mitigate risks.
One of the most popular affected TSS libraries is known as “TSS-Lib”, an MIT-licensed implementation of the protocols in the Go programming language.
By discovering these vulnerabilities, io.finnet and Kudelski Security prevented user assets from being put at risk. With the support of MPC Alliance, io.finnet has notified users of the “TSS-Lib” library about these vulnerabilities and provided them with recommendations on how to fix them in public disclosures (CVEs) outlining the root causes, impact, and solutions to these vulnerabilities.
Several known users of the “TSS-Lib” library, including contacts obtained through the MPC Alliance, were included in a private disclosure initiative where details of the issues were shared in late February. The full disclosures will be made public via Mitre’s CVE database no sooner than two weeks after the date of this publication. These issues have been assigned the following CVE numbers: [CVE-2022-47930], [CVE-2022-47931], [CVE-2023-26556] and [CVE-2023-26557].
