Blockchain security firm Verichains identifies critical key recovery attacks

Verichains, a leading provider of blockchain security solutions, has announced that the firm discovered Critical Key Recovery Attacks in the Popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol.

MPC is one of the most popular technologies used by multi-party wallets and digital asset storage solutions. With these vulnerabilities, many of the current security protocols will be affected.

It has quickly become the standard for securing digital assets of many large blockchain and financial organizations, such as the largest global custodian bank BNY Mellon, Europe’s largest neobank Revolut, ING, Binance, Fireblocks and Coinbase.

Popular Threshold Signature Scheme (TSS) are vulnerable to key recovery attacks

Although blockchain technology is increasingly developed and adopted, ensuring the security and availability of funds without relying on a single trusted entity is one of the challenges that needs to be addressed.

A Threshold Signature Scheme (TSS) is a cryptographic protocol that allows a group of parties to generate a signature on a message without revealing their secret keys.

As a result, the funds can be controlled by a set of signatories that can work together to authorize transactions. Many organizations today implement MPC protocols for threshold ECDSA based on GG18, GG20 and CGGMP21 algorithms.

Founded in 2017, the blockchain security company focuses on blockchain solutions, including perimeter security, code audits, cryptoanalysis and incident investigation.

The firm is also known for helping to investigate and fix security issues in crypto hacks, Ronin Bridge and BNB Bridge being examples.

Verichains has started researching ECDSA threshold security in October 2022.

The blockchain security firm has also found that despite undergoing multiple audits by leading security firms, most TSS implementations, including popular open source libraries, are still vulnerable to key recovery attacks.

To do so, working proof-of-concept attacks demonstrating full private key mining have been built by a single malicious party in 1-2 signing ceremonies on various popular wallets, non-custodial key infrastructures, and cross-chain asset management protocols.

“Verichains has a strong commitment to responsible vulnerability disclosure, and we take careful and deliberate steps when disclosing attacks, especially given the wide range of affected projects and significant user assets at risk.” co-founder of Verichains and former CPU Security Lead at Intel Thanh Nguyen said.

Although the firm has left a message to the affected organizations, the firm will also release details of the attacks once the vulnerabilities are resolved.

The Importance of Blockchain Security

Today, as internet technologies continue to evolve, blockchain technologies are creating new forms of business that allow for decentralized digital transformation.

Getting started with blockchain development requires in-depth knowledge of a wide range of development, scripting languages ​​and other resources.

Although it is one of the most innovative and disruptive technologies in use today, blockchain technology is still new to the cybersecurity industry.

With the widespread use of this technology, there are still not enough developers who are experienced with blockchain and well versed in cryptography.

On the other hand, designed by a large-scale architecture with many layers, such as consensus, smart contracts or networks, blockchains are also often targeted in cyber attacks and expose a wide range of vulnerabilities.

Therefore, it is necessary to implement a cybersecurity assessment process for blockchain solutions to address related cybersecurity threats, and mitigate risks, as well as provide continuous monitoring of emerging threats and incidents.

Verichains has reported that not only systems based on ECDSA may be vulnerable, but that at least $8 billion of total locked value will also be affected.

The firm calls blockchain projects and platforms that rely on the ECDSA threshold to prioritize the implementation of robust security measures and seeks review from security experts to ensure their platforms’ safety and security.