Blockchain security firm SlowMist has identified a severe security vulnerability in a widely-used JavaScript elliptic encryption library, potentially putting crypto wallets, authentication systems, and Web3 applications at risk. The flaw could allow attackers to extract private keys by exploiting a weakness in the signature process, granting them full control over a victim’s digital assets or identity credentials.
The Identified Vulnerability
SlowMist flagged the vulnerability (GHSA-vjh7-7g9h-fjfh) in a critical X post on March 5, warning that attackers could exploit this flaw by manipulating inputs during a single signature operation. The affected encryption library is commonly used in major crypto wallets, including MetaMask, Trust Wallet, Ledger, and Trezor, as well as various identity authentication systems and decentralized applications.
The flaw is linked to the Elliptic Curve Digital Signature Algorithm (ECDSA), which relies on three primary parameters to generate a signature: the message, the private key, and a unique random number (k). This random value ensures that even when signing the same message multiple times, each signature remains unique. However, the vulnerability arises when k is mistakenly reused across different messages, allowing attackers to mathematically derive the private key.
Real-World Implications and Previous Cases
Reusing k in ECDSA has historically led to major security breaches. In July 2021, the Anyswap protocol was exploited through weak ECDSA signatures. Attackers leveraged a similar vulnerability to forge signatures and withdraw funds, leading to an $8 million loss.
Mitigating the Risk
SlowMist’s discovery underscores the critical need for developers and organizations relying on the affected library to update their implementations and strengthen cryptographic security measures. Security experts recommend ensuring proper randomization of k in all cryptographic operations to prevent private key exposure.
As Web3 and blockchain technologies continue to expand, addressing such vulnerabilities is essential to safeguarding digital assets and maintaining user trust. SlowMist is actively working with developers to mitigate the flaw and prevent further security risks.
