Verichains Discovers Critical Key Extraction Attacks in TSS for MPC Wallets and Digital Asset Custody: Native Bitcoin MultiSig Not Affected
Verichains announced that it discovered critical Key Extraction Attacks in many popular Threshold Signature Scheme (TSS) implementations, a Multi-Party Computing (MPC) protocol.
MPC is commonly used by multiparty wallets and digital asset custody solutions and has quickly become the standard for securing digital assets by major blockchain and financial institutions, including BNY Mellon, Revolut, ING, Binance, Fireblocks, Coinbase, and others.
Verichains has built working proof of concept attacks demonstrating full private key extraction by a single malicious party in 1-2 signing ceremonies on various popular wallets, non-custodial key infrastructure, and cross-chain asset management protocols. The attack leaves no trace and appears innocent to the other parties.
Nearly all threshold ECDSA based TSS implementations are vulnerable to key extraction attacks despite having undergone multiple security audits.
Verichains expects at least $8B total assets value to be at risk, but this may not reflect the total amount of funds at risk. In addition, other systems employing threshold ECDSA besides blockchain are affected if they use vulnerable implementations from open-source libraries.
As @frostdragon put it, the issue does not affect bitcoin unless there are old TSS wallets generated when Bitcoin was still on ECDSA, and they involve malicious participants who know how to take advantage of this yet-to-be-disclosed cryptographic vulnerability.
"While most bitcoin users would not have been affected by this even if we were still on ECDSA, this could have been a major problem for exchanges and other large bitcoin companies, as they are typically the ones to use an MPC."
"MPC protocols shouldn't be confused with multisig - multisig is relatively user-friendly, doesn't involve fancy cryptography, and essentially strings together individual wallets via a set of rules rather than building one from scratch."
"If bitcoin was still on ECDSA, the problem with TSS wouldn't technically be a problem with bitcoin or anything in the bitcoin code - it's a separate, manual, and apparently insecure method for constructing a key pair. That being said, it could have resulted in stolen bitcoin."