As previously shared in our community channels, we were recently notified of two vulnerabilities that could have affected the Threshold network. These were tied to the implementation of threshold cryptography which lies at the heart of our privacy solutions and is an important part of the tBTC application.
How This Affects Users
Luckily, these bugs were caught on time and had no effect on Threshold users nor their funds. We have already released a swift and conclusive fix and advised tBTC nodes to update their client to a new version as soon as possible.
The first things you should know are that:
- We took the proper steps to secure the network
- No funds are at risk
- Only new deposits would have been impacted
- The embargo on the vulnerability has ended
Likewise, the possibility of an attack was low given that operators need to be bonded and have a minimum stake. It is still important, however, to analyze these bugs for the improvement of ours and the ecosystem’s overall security.
Understanding How Threshold Cryptography Works
As its name implies, the Threshold network leverages a cryptographic method known as a threshold system to ensure that users have complete control over their digital assets. The way this works is that secret information is encrypted with a public key and the private key that unlocks this information is shared across a number of different users. Each user has a piece of the key and a certain threshold number of users has to participate in a cryptography protocol to unlock the secret without revealing their key share.
This forms the basis of how we’re able to store private data in siloed, off-chain containers. It’s also a vital component to the applications that will run on the network, mainly tBTC.
Our implementation of threshold cryptography makes use of a fork of Binance’s library for the tool, as do many other projects in the Web3 space including Clover Network, ZenGo, THORChain, and Swingby. However, on December 6 Trail of Bits approached the Threshold team with regards to two vulnerabilities it found in the library.
First, there was a possibility that a malicious user could reveal the secret in a threshold system. The mathematical framework used by the system to distribute each part of the private key works really well as long as none of the users’ ID numbers are zero. To prevent this from happening, Binance’s implementation put a check in place so that users weren’t able to set such an ID when generating or resharing the key.
However, a simple check wasn’t enough. Trail of Bits found that a hypothetical attacker could still set an ID number that evaluated to zero when the system performed the verification process and gain access to the encrypted secret.
Then there was another vulnerability wherein certain ID numbers could crash a node in the network. This happened because there was no check in place for when the necessary arithmetic in the system would throw an error with the ID number provided. These errors happened when certain IDs produced a same-number subtraction within the verification process.
Our Part in Fixing the Bugs
Fixing these vulnerabilities required that going forward:
- All ID numbers are non-zero
- No ID numbers evaluate to zero
- All ID numbers produce unique results within the verification process.
Binance’s immediate solution to the main bug was to implement a modulo operator on the verification process. This is a mathematically sound way to prevent ID numbers from evaluating to zero. However, the fix was problematic and introduced another problem. It ended up not being backwards-compatible and would still crash in certain implementations.
The Threshold team took note of this issue and on December 8th informed Trail of Bits about adding a fix to Binance’s library. It also suggested extending the embargo for communicating this issue until December 17th to give everyone more time to update their code given the problem was found. After all involved parties agreed, Binance merged Threshold’s fix into its library on December 10th, improving the security of the whole ecosystem of its threshold system implementers.
Finally, on December 15th we released the tBTC v1.8.1 client which permanently solves the issue for our users.
Overall, addressing this vulnerability has been an example of collaboration in the space and an opportunity to strengthen the security of the Threshold Network. If you’d like to go through a technical summary and a detailed timeline of the events, be sure to check out Piot’s security advisory on Github. You can also learn more about the vulnerabilities and the math behind them through Trail of Bit’s comprehensive explanation of what they found.