SlowMist flags a security flaw that could lead to private key leakage

Slowmist has identified a critical security flaw in a widely used encryption library, which could allow retro-engineer hackers in private keys to applications that depend on it.

The Safety Safety Society Slowmist has reported Critical security vulnerability in the JavaScript elliptical encryption library, commonly used in crypto wallets (including MetamasqueTrust Wallet, Ledger and Trezor), identity authentication systems, and Web3 Applications. More specifically, the reported vulnerability allows attackers to extract private keys by manipulating specific inputs during a single signature operation, which could give them total control over the digital assets of a victim or identity identity information.

The typical Elliptical curve digital signature algorithm The process requires several parameters to generate a digital signature: the message, the private key and a single random number (K). The message is chopped and then signed using the private key. As for the random value K, it is necessary to ensure that even if the same message is signed several times, each signature is different – similar to the way a stamp requires fresh ink for each use. The specific vulnerability identified by Slowmist occurs when K is reused by mistake with different messages. If K is reused, attackers can exploit this vulnerability, which can allow them Private key retrofing engineer.

Similar vulnerabilities in ECDSA have led to security violations in the past. For example, in July 2021, the Anyswap protocol was compromise When the attackers took advantage of the ECDSA weak signatures. They used the vulnerability to forge signatures, allowing them to withdraw funds from the Anywap protocol, resulting in a loss of around 8 million dollars.