GHSA-7f6p-phw2-8253: Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws

November 25, 2024 (updated January 28, 2025)

Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:

References

eprint.iacr.org/2018/499.pdf
github.com/advisories/GHSA-7f6p-phw2-8253
github.com/taurushq-io/multi-party-sig
github.com/taurushq-io/multi-party-sig/blob/4d84aafb57b437da1b933db9a265fb7ce4e7c138/internal/ot/extended.go
github.com/taurushq-io/multi-party-sig/blob/9e4400fccee89be6195d0a12dd0ed052288d5040/internal/ot/extended.go
github.com/taurushq-io/multi-party-sig/security/advisories/GHSA-7f6p-phw2-8253
github.com/taurushq-io/multi-party-sig/tree/otfix

Code Behaviors & Features

Detect and mitigate GHSA-7f6p-phw2-8253 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →