LONDON, March 21 2023 - io.finnet and Kudelski Security have discovered four vulnerabilities in the implementation of a popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol commonly used by multiparty wallets and digital asset custody solutions to produce digital signatures.

‍

A Threshold Signature Scheme (TSS) is a cryptographic protocol that enables a group of participants to jointly produce a signature for a message, where a minimum threshold of participants cooperate to produce the signature. It improves security and scalability in digital asset applications, but its implementation may contain flaws or vulnerabilities. Exploiting these vulnerabilities may, in an extreme circumstance, allow an attacker with privileged access to attempt to forge signatures, enabling them to access assets that they do not own. With the vulnerabilities identified, it has now become the responsibility of the owners and maintainers of the client software to use patched libraries to lessen these risks.

‍

“We collaborated with The MPC Alliance and Kudelski Security on this disclosure as we share a common vision of advancing the security and privacy of data and digital assets through the application of MPC technology. It’s our duty to keep the space as secure and transparent as possible” said Luke Plaster, io.finnet Chief Crypto Officer.

Kudelski Security performed a security audit on one of io.finnet's products and identified security vulnerabilities that could potentially be exploited by attackers. These vulnerabilities are related to two variants of the TSS protocol (EDDSA and EdDSA schemes) used in various programming languages like Go and Rust. These variants offer fast efficient computation, strong security, and compatibility. However, the security audit uncovered that these protocol implementations have four vulnerabilities that could lead to risks like malleability of zero-knowledge proofs, the collision of hash values, non-constant-time arithmetic, and scalar multiplication in non-constant time. io.finnet chose to make these findings public to help users take appropriate steps to mitigate risks.

‍

One of the most popular affected TSS libraries is known as “TSS-Lib”, an MIT-licensed implementation of the protocols in the Go programming language.

By discovering these vulnerabilities, io.finnet and Kudelski Security prevented user assets from being put at risk. With the support of MPC Alliance, io.finnet has notified users of the “TSS-Lib” library about these vulnerabilities and provided them with recommendations on how to fix them in public disclosures (CVEs) outlining the root causes, impact, and solutions to these vulnerabilities.

‍

Several known users of the “TSS-Lib” library, including contacts obtained through the MPC Alliance, were included in a private disclosure initiative where details of the issues were shared in late February. The full disclosures will be made public via Mitre’s CVE database no sooner than two weeks after the date of this publication. These issues have been assigned the following CVE numbers: [CVE-2022-47930], [CVE-2022-47931], [CVE-2023-26556] and [CVE-2023-26557].

‍

For further assistance, affected parties are encouraged to contact io.finnet, Kudelski Security or the MPC Alliance for guidance. 

‍

About io.finnet:

io.finnet is a FinTech group with a global reach. They are dedicated to reshaping modern finance, and fostering financial innovation and inclusion by building a secure, seamless, and regulatory-friendly infrastructure for the financial world. They offer solutions to traditional financial institutions, corporates and crypto companies to enhance and grow their businesses.  

Website | LinkedIn | Twitter 

‍

About Kudelski Security

Kudelski Security is the premier advisor and cybersecurity innovator for today’s most security-conscious organizations. Our long-term approach to client partnerships enables us to continuously evaluate their security posture to recommend solutions that reduce business risk, maintain compliance and increase overall security effectiveness. With clients that include Fortune 500 enterprises and government organizations in Europe and across the United States, we address the most complex environments through an unparalleled set of solution capabilities including consulting, technology, managed security services and custom innovation. For more information, visit www.kudelskisecurity.com.

Website | LinkedIn | Facebook | Youtube | Github

‍

About the MPC Alliance:

‍

The MPC Alliance is a global network of 50 companies of all sizes, from highly innovative startups to global players, with the shared mission to accelerate the adoption of multi-party computing (MPC) technology in the financial industry. The organisation brings together leading fintech companies, researchers, and academics to collaborate on research, best practices, and the development of MPC technology. The MPC Alliance aims to promote the adoption of MPC technology in finance, with a focus on security, privacy, and data protection.

Website | LinkedIn | Twitter | Facebook 

‍