Over $70 Billion Assets Saved From Attack Through Discovery of Security Flaws by io.finnet and Kudelski Security

io.finnet and Kudelski Security discovered four flaws in the implementation of a popular Threshold Signature Scheme (TSS), a Multi-Party Computing (MPC) protocol commonly used by digital asset custody solutions and multiparty wallets to produce digital signatures that protects assets worth more than $70 Billion.

A Threshold Signature Scheme (TSS) allows a group of individuals to sign a message collectively, as long as a predetermined threshold of those individuals agree to do so. As a result, it is safer and simpler to use in applications involving digital assets. However, sometimes there are issues with the way it’s set up that could give external parties access to restricted data. To fix these problems, software managers need to use updated versions that fix the issues.

“Technology is constantly evolving, and with it come new challenges and risks. However, with the right mindset and tools, we can overcome these challenges and make the digital space a safer place for everyone. We are committed to advancing security and privacy, and are always looking for partnerships with individuals that share the same values.” said Luke Plaster, Chief Crypto Officer at io.finnet, who leads digital assets initiatives.Kudelski Security and io.finnet discovered vulnerabilities in the protocols, related to the TSS techniques, that could have been exploited by malicious parties to cause a security breach. TSS techniques are primarily used in programming languages such as Go and Rust, to execute functions quickly and securely.

“TSS-Lib,” an MIT-licensed Go programming language implementation of the protocols, is one of the better known libraries that was affected. In collaboration with MPC Alliance, io.finnet decided to inform the involved parties about the issues and provided solutions to fixing them. The team chose to keep the affected parties private but provided the causes, impact and solution to prevent similar issues in the future.

The full details have been made public through Mitre’s CVE database. The issues have been given special numbers to allow individuals to identify them. These issues have been assigned the following CVE numbers: [CVE-2022-47930], [CVE-2022-47931], [CVE-2023-26556] and [CVE-2023-26557]. You can learn more on io.finnet blog and Kudelski’s here.

Affected parties are encouraged to get in touch with io.finnet, Kudelski Security, or the MPC Alliance for advice if they need further assistance.