CVE-2023-33242 allows an attacker to extract a full private key from a wallet implementing Lindell17 2PC protocol

The security of digital wallets has never been more critical, with cryptocurrencies enjoying unprecedented adoption worldwide. In this realm, a recent discovery by Fireblocks’ research team has unmasked a chilling vulnerability that has set alarm bells ringing across the tech world. CVE-2023-33242, a cryptographically intricate flaw affecting wallets implementing the Lindell17 2PC protocol, threatens the security of funds within these digital safes.

The flaw allows an attacker to extract a full private key from a vulnerable wallet. The attack is fascinatingly meticulous, requiring the extraction of a single bit in every signature attempt, accumulating to a total of 256 attempts. This procedure leads to an uncloaking of the complete key, granting the attacker unfettered access to the funds within the wallet.

Major players like Coinbase WaaS, ZenGo, and other libraries have already patched this vulnerability. Yet, the revelation of this issue prompts a thorough examination of the existing security measures in contemporary wallet technologies.

The Lindell17 threshold-ECDSA protocol is where the CVE-2023-33242 vulnerability was found, lurking at the interface between the protocol itself and the wider security infrastructure. What makes this flaw particularly insidious is how it originates from real-world implementations deviating from the academic specification of Lindell17, leading to mishandling or neglect of aborts in case of failed signatures.

The attacker, assuming privileged access, can exploit this vulnerability to exfiltrate the key after approximately 200 signature requests. It’s a flaw that has been proven practical and validated on both popular open-source libraries and some real-world systems.

Intriguingly, the Lindell17 protocol, typically used for wallets involving a wallet provider and an end-user, is designed in two configurations. Either the wallet provider (Server) finalizes the signature, or the end-user (Client) does so at the protocol’s conclusion. This distinction becomes a pivotal point of exploitation, leading to two cases:

• Case 1: When the Server finalizes the signature, an attacker compromising the Client can exfiltrate the key by initiating two hundred transactions. Each crafted malicious message results in a valid signature only under a specific condition, enabling the attacker to eventually recover the entire key after 256 signatures.
• Case 2: Conversely, when the Client finalizes the signature, the attacker can compromise the Server and execute a similar attack in reverse.

The implementation also has the potential to limit a “blitz” attack, a rapid sequence of signature requests. Multi-factor authentication or other safeguards may raise suspicion. However, a slower-paced attack might remain undetected.

This discovery serves as a grim reminder that the cryptographic foundation of wallets can still be pierced. It urges those using the Lindell17 2PC protocol to either upgrade to a non-vulnerable version or implement their own abort mitigation mechanism.

Interestingly, the detection of such an attack is feasible for the server due to the failed signature. Careful tracking of these events could prevent the unfurling of an attack.

An alternative approach could involve the use of a Zero-Knowledge (ZK) proof for the client’s last message, further fortifying the security walls.