CVE-2023-26556

Published: Apr 21, 2023

Modified: Feb 5, 2025

PUBLISHED

Description

io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time (there is an if statement in a loop). One leak is in ecdsa/keygen/round_2.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/IoFinnet/tss-lib/releases/tag/v2.0.0

https://github.com/bnb-chain/tss-lib/tree/v1.3.5

https://gitlab.com/thorchain/tss/tss-lib/-/tags/v0.1.3

https://medium.com/%40iofinnet/security-disclosure-for-ecdsa-and-eddsa-threshold-signature-schemes-4e969af7155b

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-26556

Description

Affected Products

References