New Vulnerability Attacks on Multi-Sig Wallets Uncovered: Verichains Reports
New risks discovered in multi-party computation (MPC) wallets and digital asset custody, Verichains reports.
Leading blockchain security solutions provider Verichains announced the discovery of a critical attack possibility in the popular Threshold Signature Scheme (TSS), the function in a blockchain that enables a group of parties to collectively issue a transaction signature without exposing the secret signing key.
TSS is a multi-party control (MPC) protocol that is common in multi-party signature wallets and digital custody solutions. In recent times, MPC has become the industry standard to secure users’ digital assets across the major players including BNY Mellon, Revolut, Binance, Coinbase, and ING among others. According to the report, MPCs could be under a hidden attack which could pose a ‘significant risk’ in the wider digital asset ecosystem.
Understanding the Security Questions at Hand
As blockchain adoption became global, the main issue for most users became security and availability of funds. However, most decentralized applications could not provide security, without compromising on reliability and convenience, and vice versa. And if it offers both, it had to rely on a single trusted entity, beating the idea of decentralization. This gave rise to multi-sig wallets via the development of Threshold Signature Schemes (TSS).
Simply, TSS are cryptographic protocols that allow a group of parties to sign off a transaction without revealing their individual private (secret) key. Using these multi-sig wallets allows users to secure their funds by distributing the keys needed to authorize the transaction without relying on a centralized entity.
The MPC protocols are becoming an increasingly popular way to secure digital assets in custodial institutions.
$8 Billion Dollar Risk on Digital Assets in Custody
As institutions adopt MPC protocols for threshold ECDSA, the signing scheme used in Bitcoin and many other popular coins, Verichain started its research in October 2022 to find any security vulnerabilities. Shockingly, nearly all TSS implementations, including open-source libraries, were found to have security risks to key recovery attacks. This means that in most TSS implementations, hackers could find a way to get the individual keys used in multi-sig wallets, which could lead to the loss of users’ funds.
According to the report, a full private key extraction can be completed by a malicious signatory. This vulnerability was discovered on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols (all of which remained unnamed). Furthermore, the attack leaves no trace and “appears innocent to the other parties”.
The report states that over $8 billion in digital assets locked on platforms could be at risk in the crypto sector with more assets locked using threshold ECDSA could also be at risk.
Verichains Calls for Quick Action
The report did not name any vulnerable companies or custodial organizations but “notified a number of affected vendors”, the statement reads. The Co-Founder of Verichains, Thanh Nguyen called on all vulnerable companies to take responsible courses to protect their users’ funds.
“Verichains has a strong commitment to responsible vulnerability disclosure, and we take care and considered steps when disclosing attacks, especially given the wide range of impacted projects and significant user funds at risk,” added Thanh Nguyen.
Finally, the report recommends that all platforms that rely on threshold ECDSA “prioritize implementing robust security measures” and consult security experts to ensure their platforms remain safe and secure.