Some multisignature (multisig) wallets might suffer exploitation via web3 apps using the StarkEx protocol, per Safeheron.
Safeheron, a multi-party computation or MPC wallet developer, states in its press release that the vulnerability impacts MPC wallets interacting with StarkEx apps (e.g. dYdX). Safeheron is reportedly working towards removing the vulnerability with web3 developers (viz. Fireblocks, Fordefi, StarkWare, etc).
The vulnerability in question, lets web3 apps using the StarkEx protocol, operate without the formality of private keys’ security in MPC wallets. In practice, this could provide access to users’ Layer-2 (L2) keys to the wallet entities. Per Safeheron’s claims, the security flaw in question emerges upon these wallets’ interaction with StarkEx-based apps (e.g. dYdX and Fireblocks).
These applications tend to “obtain a stark_key_signature and/or api_key_signature” to then “bypass the security protection of private keys in MPC wallets,” states Safeheron. This anomaly lets an attacker initiate orders and L2 transfers, cancel orders, and also initiate various illicit transactions.
Safeheron said,The interaction between MPC wallets and dYdX or similar dApps [decentralized applications] that use signature-derived keys undermines the principle of self-custody for MPC wallet platforms.
Customers may be able to bypass pre-defined transaction policies, and employees who have left the organization may still retain the capability to operate the dApp.
Applauding Safeheron’s prompt action to flag the vulnerability and seek timely solutions, Avihu Levy, Head (Product), StarkWare, said, It’s great that Safeheron is open-sourcing a protocol focusing on this challenge.
We encourage developers to address any security challenge that should arise with any integration, however limited its scope. This includes the challenge being discussed now.
As per Safeheron, at times financial institutions and Web3 app developers use MPC wallets for ensuring the security of their crypto assets. Safeheron’s documentation states in MPC wallets, just like a standard multisig wallet, multiple signatures are required for all transactions.
But MPC wallets do not require the deployment to the blockchain of specialized smart contracts. MPC wallets also do not need to be developed in the protocol of the blockchain, per Safeheron.
MPC wallets operate via private key “shards,” wherein each signer holds one shard. Requiring to be joined off-chain for signature production, these (also blockchain agnostic) MPC wallets have a lower gas fee compared to multisigs, per Safeheron.
