CGGMP24 ECDSA Threshold Signing Protocol Missing Check Vulnerability Allowing Private Key Reconstruction
Vulnerability
A vulnerability exists in the CGGMP21 ECDSA threshold signing protocol, prior to version 0.6.3, due to a missing verification step in the zero-knowledge proof. This omission allows a single malicious signer to reconstruct the full private key. The vulnerability has been patched in version 0.6.3, but for enhanced security, users are advised to upgrade to CGGMP24 version 0.7.0-alpha.2, which includes additional security checks.
Impact
Exploitation of this vulnerability allows for the full reconstruction of a private key by a malicious signer.
Remediation
Users can update to CGGMP21 version 0.6.3 for a quick patch. For full mitigation, it is recommended to upgrade to CGGMP24 version 0.7.0-alpha.2, which includes more comprehensive security checks. Instructions for upgrading to version 0.7.0-alpha.2 are available in the CGGMP21 migration guideline.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.