GHSA-7f6p-phw2-8253
Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws
Blast Radius
github.com/taurusgroup/multi-party-sigReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer (OT) based protocol DKLS:
1. Secret share recovery attack
If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the secret of another participant. By repeating the execution they can eventually recover the whole secret.
Therefore, unlike our comments suggested, you must not reuse an OT setup for multiple protocol executions.
We're adding a warning in the code:
2. Invalid security proof due to incorrect operator
The original 2018 version of the DKLS had a typo in the OT extension protocol when computing the check value in the OT extension: the paper noted a XOR whereas it should be a field multiplication. This erroneous behavior was implemented in our code.
The proof of security fails in this case. No concrete attack is known, however.
The 2023 update of the DKLS paper reported that typo and updated the protocol definition.
As of 20241124, patching is in progress (branch otfix), but not merged to the main branch yes as the tests fail to pass. We're troubleshooting the issue and will merge into the main branch when it's resolved.
As of 20250128, a patched version is available in https://github.com/taurushq-io/multi-party-sig/releases/tag/v0.7.0-alpha-2025-01-28, thanks to https://github.com/taurushq-io/multi-party-sig/pull/119.
Workarounds
Do not reuse an OT setup in the event that an abort is detected, to eliminate the secret recovery attack.
Credits
Thanks to the Coinbase researchers Yi-Hsiu Chen and Samuel Ranellucci for discovering these issues and providing a comprehensive write-up. Thank you to Yehuda Lindell for coordinating the disclosure. Thanks to Jay Prakash for clarifying the risk of the base setup reuse. Thanks to @cronokirby for writing the corrected code.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/taurusgroup/multi-party-sig | all versions | 0.7.0-alpha-2025-01-28 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/taurusgroup/multi-party-sig. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/taurusgroup/multi-party-sig to 0.7.0-alpha-2025-01-28 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7f6p-phw2-8253 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7f6p-phw2-8253 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7f6p-phw2-8253. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7f6p-phw2-8253 in your dependencies?
O3 detects GHSA-7f6p-phw2-8253 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.