Web3Auth's Response to Recent Attacks on MPC Protocols: TSSHOCK & BitForge

Web3Auth uses an audited DKLs19 protocol, which has not been affected by the recent TSSHOCK and BitForge vulnerabilities.
Web3Auth's Response to Recent Attacks on MPC Protocols: TSSHOCK & BitForge

With the recent advancements in technology, Multi-Party Computation (MPC) protocols have emerged as a promising solution for ensuring privacy and security in decentralized systems. However, the recently exposed vulnerabilities, specifically TSSHOCK and BitForge, highlight the challenges involved with the implementation of such protocols. In this article, Web3Auth addresses these vulnerabilities and reassures our users about our chosen protocol's security.

TL;DR

Web3Auth uses an audited DKLs19 protocol, which has not been affected by the recent TSSHOCK and BitForge vulnerabilities. These vulnerabilities underline the importance of rigorous testing and careful implementation of cryptographic protocols. Web3Auth remains committed to prioritizing security, transparency, and reliability in our services.

TSSHOCK

The TSSHOCK vulnerabilities stem from implementation mistakes in the range proof subprotocol dlnproof, allowing malicious actors to forge proofs and potentially recover private keys. This attack lays bare the importance of rigorous protocol implementation and the potential risks of ambiguous encoding and optimization without thorough proofs.

Specific Targeted Attacks and Bugs as listed in Verichain’s TSSHOCK Slides:

Key Takeaways:

  • Implementing new cryptographic protocols without a deep understanding can be perilous.
  • Optimizations without thorough proofs can lead to significant vulnerabilities.
  • The attack targeted implementations of GG18GG20, and CGGMP21.

BitForge Attack

The BitForge vulnerability unveiled two major issues in MPC protocols. Firstly, in the specifications of GG18 and GG20, a zero-knowledge proof for checking the Paillier modulus was missing. This oversight could potentially lead to the extraction of keys after only 16 signatures in some cases. Secondly, the implementations of Lindell17 demonstrated a critical lapse: they did not correctly handle failed signatures, deviating from the original specifications. This flaw enables a malicious entity to extract the private key after 200 signature requests.

Web3Auth and the DLKs19 scheme 

Web3Auth utilizes an audited implementation of the DKLs19 protocol for ECDSA threshold.  The protocol relies on a set of well-studied primitives and doesn’t require Paillier encryption or complex range proofs, thereby steering clear of the vulnerabilities that plagued the other protocols. With proven security in the UC Framework and through our audited implementation, our commitment to safeguarding user data remains unbroken.

Web3Auth’s Response:

  • Our protocol, DKLs19, does not use range proofs and is thereby not affected by the vulnerabilities exposed in TSSHOCK.
  • With regards to the BitForge vulnerabilities:
    • DKLs19 doesn’t use Paillier encryption and thus remains unaffected by missing ZK proofs.
    • Our rigorous audits ensure that all protocol checks in DKLs19 are correctly implemented, shielding us from vulnerabilities as in the case of the mishandling of failed signatures.
  • None of the known vulnerabilities affect DKLs19 to the best of our knowledge