Smart Wallet Vulnerability using The Rogue Public Key Attack
A good deal of our current research work is focused on digital wallets, and we hope that through our current work we can create an infrastructure in the EU, and where every citizen will have a digital wallet. And, so, at the core of security of this is the fundamental implementation of wallets. If there were to be any security vulnerabilities, it could compromise the whole infrastructure.
And, so, when you see a “new” vulnerability on wallets, you take notice. This happened this week with this tweet from the Defi Security Summit [here]:
With this, the compromise uses the BLS aggregated signature method, and inverts one of the public keys in order to produce a valid signature. Of course, there would have to be some bad programming for this to happen, especially if there was no checking for the public keys used. The first thing that must be said is that this is NOT a new attack, and was outlined in [1]. While we implement Hyperledger Fabric wallets (as part of a proposed integration with EBSI), our implementations are not vulnerable.
So, please stay with me here, as I outline how the Rogue Public Key attack works.
