SlowMist flags security flaws that can lead to secret key leaks

SlowMist has identified a serious security flaw in a widely used cryptographic library. This allows hackers to reverse engineer the private keys of applications that depend on it.

Blockchain security company Slowmist flags critical security vulnerabilities in the JavaScript Elliptic Encryption Library, commonly used in Crypto Wallet (including Metamask, Trust Wallet, Ledger, and Trezor), identity authentication systems, and Web3 applications. Specifically, the flagged vulnerability allows an attacker to extract a private key by manipulating a specific input during a single signature operation. This gives you complete control over the victim’s digital assets or identity credentials.

A typical elliptic curve digital signature algorithm process requires several parameters to generate digital signatures, messages, private keys, and unique random numbers (k). The message is hashed and signed using the private key. For the random value K, you must ensure that each signature is different, even if the same message is signed multiple times. It’s the same as how stamps require fresh ink each time they are used. Certain vulnerabilities identified by SlowMist occur when K is incorrectly reused as a different message. If K is reused, an attacker can take advantage of this vulnerability. This allows for reverse engineering of the private key.

You might like it too: News Kaspersky warns about Sparkcat malware targeting private keys for Android and iOS

Similar vulnerabilities in ECDSA have led to security breaches in the past. For example, in July 2021, the ANYSWAP protocol was compromised when an attacker utilized a weak ECDSA signature. They were able to use the vulnerability to forge signatures and withdraw funds from the AnySWAP protocol, resulting in a loss of around $8 million.

You might like it too: Recovering Crypto Wallets Without Private Keys or Seedphrases | Opinion