Verichains, a leading provider of blockchain security solutions, has announced that the firm discovered critical Key Recovery Attacks in Popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol.
MPC is one of the most popular technologies used by multiparty wallets and digital asset custody solutions. With these vulnerabilities, many of the current safety protocols will be impacted.
It has quickly become the standard for securing digital assets of many major blockchain and financial organizations, such as the largest global custodian bank BNY Mellon, Europe’s largest neobank Revolut, ING, Binance, Fireblocks, and Coinbase.
Popular Threshold Signature Scheme (TSS) Are Vulnerable to Key Recovery Attacks
Although blockchain technology is increasingly developed and adopted, ensuring the security and availability of funds without relying on a single trusted entity is one of the challenges needed to solve.
A Threshold Signature Scheme (TSS) is a cryptographic protocol allowing a group of parties to generate a signature on a message without revealing their secret keys.
As a result, the funds can be controlled by a set of signers who can cooperate to authorize transactions. Many organizations today are implementing MPC protocols for threshold ECDSA based on GG18, GG20, and CGGMP21 algorithms.
Founded in 2017, the blockchain security company focuses on blockchain solutions including perimeter security, code audits, cryptanalysis, and incident investigation.
The firm is also known that helped investigate and fix security issues in crypto hacks, the Ronin Bridge and BNB Bridge are examples.
Verichains has started researching threshold ECDSA security in Oct 2022.
The blockchain security firm has also found that although having undergone multiple audits by leading security firms, most TSS implementations, including popular open-source libraries, are still vulnerable to key recovery attacks.
To do that, working proof of concept attacks that demonstrate a full private key extraction have been built by a single malicious party in 1-2 signing ceremonies on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols.
“Verichains has a strong commitment to responsible vulnerability disclosure, and we take careful and considered steps when disclosing attacks, especially given the wide range of impacted projects and significant user funds at risk,” the Co-Founder of Verichains and former CPU Security Lead at Intel Thanh Nguyen said.
While having left a notice to the affected organizations, the firm will also release details of the attacks when the vulnerabilities have been solved.
The Importance of Blockchain Security
Today, while internet technologies are constantly developing, blockchain technologies create new business forms that allow decentralized digital transformation.
Getting up to speed with blockchain developments requires in-depth knowledge of a wide range of development, scripting languages, and other resources.
Although being one of the most innovative and disruptive technologies used today, blockchain technology is still new to the cybersecurity industry.
With the widespread use of this technology, there are still not enough developers that are experienced with blockchain and well-versed in cryptography.
On the other hand, designed by a large-scale architecture with many layers, such as consensus, smart contracts, or networks, blockchains are also often targeted in cyber-attacks and expose a wide variety of vulnerabilities.
Hence, it is necessary in implementing a cybersecurity assessment process for blockchain solutions to address related cybersecurity threats, and mitigate risks, as well as, provide continuous monitoring of new threats and incidents.
Verichains has reported that not only systems based on ECDSA can be vulnerable but at least $8 billion of total locked value is also going to be impacted.
The firm is calling blockchain projects and platforms relying on threshold ECDSA to prioritize implementing robust security measures and seeking review from security experts to ensure their platforms’ safety and security.