A company that is changing the way the world mines bitcoin

crypto.news 2025-03-05 10:49:34

SlowMist flags a security flaw that could lead to private key leakage

SlowMist has identified a critical security flaw in a widely-used encryption library, which could allow hackers to reverse engineer private keys in applications that depend on it. Blockchain security firm SlowMist has flagged a critical security vulnerability in the JavaScript elliptic encryption library, commonly utilized in crypto wallets (including MetaMask , Trust Wallet, Ledger, and Trezor), identity authentication systems, and Web3 applications. Specifically, flagged vulnerability allows attackers to extract private keys by manipulating specific inputs during a single signature operation, which could give them full control over a victim’s digital assets or identity credentials. ⚠️A critical vulnerability (GHSA-vjh7-7g9h-fjfh) has been discovered in the widely-used elliptic encryption library. 😈Attackers can exploit this flaw by crafting specific inputs to extract private keys with just a single signature, potentially compromising digital assets or… — SlowMist (@SlowMist_Team) March 5, 2025 The typical Elliptic Curve Digital Signature Algorithm process requires several parameters to generate a digital signature: the message, the private key, and a unique random number (k). The message is hashed and then signed using the private key. As for the random value k, it’s needed to make sure that even if the same message is signed multiple times, each signature is different—similar to how a stamp requires fresh ink for each use. The specific vulnerability identified by SlowMist occurs when k is mistakenly reused for different messages. If k is reused, attackers can exploit this vulnerability, which can allow them to reverse engineer the private key . You might also like: News Kaspersky warns of SparkCat malware that targets private keys on Android and iOS Similar vulnerabilities in ECDSA have led to security breaches in the past. For example, in July 2021, the Anyswap protocol was compromised when attackers took advantage of weak ECDSA signatures. They used the vulnerability to forge signatures, allowing them to withdraw funds from the Anyswap protocol, resulting in a loss of around $8 million. You might also like: Crypto wallet recovery without a private key or seed phrase | Opinion