bnb-chain/tss-lib

bnb-chain/tss-lib

Releases15

Frequency5 months 2 weeks

Last Release 2 months ago

Stars1.02K

Threshold Signature Scheme, for ECDSA and EDDSA

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2023-26556 ↗	Apr 21, 2023Friday, 21 April 2023, 18:15	9.1 CRITICAL	—
io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time (there is an if statement in a loop). One leak is in ecdsa/keygen/round_2.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)
CVE-2023-26557 ↗	Apr 21, 2023Friday, 21 April 2023, 18:15	7.5 HIGH	—
io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)
CVE-2020-12118 ↗	Apr 23, 2020Thursday, 23 April 2020, 22:15	8.2 HIGH	6.4 MEDIUM
The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties.