io.finnet and Kudelski Security Uncover Four Critical Vulnerabilities in Signature Protocols for MPC Wallets

In the spirit of transparency and industry cooperation, the MPC Alliance, in collaboration with alliance member io.finnet and their partner Kudelski Labs, would like to share the following vulnerabilities that were identified in specific forks of tsslib, an open source implementation of ECDSA and EdDSA, used in some digital asset wallets that rely on secure multi-party computation (MPC).

The CVE numbers are known and will be published later this week. They are:

1) Replay Attacks Involving Proofs (https://www.cve.org/CVERecord?id=CVE-2022-47930)

2) Collision of Hash Values (https://www.cve.org/CVERecord?id=CVE-2022-47931)

3) Non Constant-Time Arithmetic (https://www.cve.org/CVERecord?id=CVE-2023-26556)

4) Non-Constant Time Scalar Multiplication (https://www.cve.org/CVERecord?id=CVE-2023-26557)

You will find more information in the io.finnet blog post, Kudelski article and the press release.

The MPC Alliance is organizing a working group that will focus on defining reference documents and recommendations for digital asset wallet solutions that employ MPC. If this is a topic of interest to you, we invite you to become a member or join our mailing list.