Open in app

Sign in

Write

Sign in

Anyswap-MPCNode Bug Report

July/15/ 2021

Multichain (Previously Anyswap)
Multichain

--

Bug Description

Anyswap-MPCNode distributed signed two transactions with the same R-value. The hacker deduced the private key to this MPC account in reverse and attacked the router V3 liquidity pool. Details: https://anyswap.medium.com/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb

Background

Anyswap MPC network is based on GG20 Threshold ECDSA signatures. It’s a highly efficient protocol with a non-interactive online phase allowing for Anyswap MPC nodes to asynchronously participate in the protocol without the need to be online simultaneously. The protocol can be split into a preprocessing stage with most of the computation and communication, and an online stage when the message is known, consisting of a single communication round where each MPC node performs a single scalar multiplication. Anyswap MPC nodes preprocess a set of R and other parameters to speed up distributed signatures.

Bug analysis

A customized testnet was built to 100% reproduce this bug. The root cause is a new patch of MPCNode code which router v3 used caused the bug. Anyswap bridge v1/v2 uses the old version, so V1/V2 doesn’t have this problem.

Details: a month ago (same time as the second same R transaction), a new version code of MPC node deployed for Anyswap Router v3, MPC nodes restarted then reloaded the used R from database to memory, the used R data should have been deleted after signed but failed. A new cross-chain transaction sign with used R causes the bug.

This is a very low-probability bug. It requires that MPC nodes fail to delete the same R data from the database, and reload the same R data after all nodes restart.

Bug Solution

Add 2 patches to fix this bug.

1. Revert commit f3cabbe to avoid reloading duplicate R when restarting MPC node.

https://github.com/anyswap/Anyswap-MPCNode/commit/a31a797adef810bc150d1ee9b2c2b2320501bc2c

2. Delete R from DB before signing.

https://github.com/anyswap/Anyswap-MPCNode/commit/2e4df3c953ce242331ef49067a322782c284654f

The patches have been tested on the testnet, the duplicate R signatures bug is resolved.

To get involved and stay up to date:

* Join the Anyswap community: https://t.me/anyswap

* Follow Anyswap on: https://twitter.com/AnyswapNetwork

* Subscribe to the Anyswap: https://anyswap.medium.com/

* Send email to Anyswap: connect@anyswap.exchange

--

--

Multichain (Previously Anyswap)
Multichain

Written by Multichain (Previously Anyswap)

4.5K Followers
Editor for

Cross-Chain Router Protocol (CRP), an infrastructure for cross-chain interoperability, envisioned to be the ultimate router for Web3 https://multichain.org/

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams