Certain multisignature (multisig) wallets can be exploited by Web3 apps that use the Starknet protocol, according to a March 9 press release provided to Cointelegraph by Multi-Party Computation (MPC) wallet developer Safeheron. The vulnerability affects MPC wallets that interact with Starknet apps such as dYdX. According to the press release, Safeheron is working with app developers to patch the vulnerability.
According to Safeheron’s protocol documentation, MPC wallets are sometimes used by financial institutions and Web3 app developers to secure crypto assets they own. Similar to a standard multisig wallet, they require multiple signatures for each transaction. But unlike standard multisigs, they do not require specialized smart contracts to be deployed to the blockchain, nor do they have to be built into the blockchain’s protocol.
Instead, these wallets work by generating “shards” of a private key, with each shard being held by one signer. These shards have to be joined together off-chain in order to produce a signature. Because of this difference, MPC wallets can have lower gas fees than other types of multisigs and can be blockchain agnostic, according to the docs.
MPC wallets are often seen as more secure than single signature wallets, since an attacker can’t generally hack them unless they compromise more than one device.
However, Safeheron claims to have discovered a security flaw that arises when these wallets interact with Starknet-based apps such as dYdX and Fireblocks. When these apps “obtain a stark_key_signature and/or api_key_signature,” they can “bypass the security protection of private keys in MPC wallets,” the company said in its press release. This can allow an attacker to place orders, perform layer 2
Read more on cointelegraph.com