Anyswap-MPCNode Bug Report
Anyswap-MPCNode distributed signed two transactions with the same R-value. The hacker deduced the private key to this MPC account in reverse and attacked the router V3 liquidity pool. Details: https://anyswap.medium.com/anyswap-multichain-router-v3-exploit-statement-6833f1b7e6fb
Anyswap MPC network is based on GG20 Threshold ECDSA signatures. It’s a highly efficient protocol with a non-interactive online phase allowing for Anyswap MPC nodes to asynchronously participate in the protocol without the need to be online simultaneously. The protocol can be split into a preprocessing stage with most of the computation and communication, and an online stage when the message is known, consisting of a single communication round where each MPC node performs a single scalar multiplication. Anyswap MPC nodes preprocess a set of R and other parameters to speed up distributed signatures.
A customized testnet was built to 100% reproduce this bug. The root cause is a new patch of MPCNode code which router v3 used caused the bug. Anyswap bridge v1/v2 uses the old version, so V1/V2 doesn’t have this problem.
Details: a month ago (same time as the second same R transaction), a new version code of MPC node deployed for Anyswap Router v3, MPC nodes restarted then reloaded the used R from database to memory, the used R data should have been deleted after signed but failed. A new cross-chain transaction sign with used R causes the bug.
This is a very low-probability bug. It requires that MPC nodes fail to delete the same R data from the database, and reload the same R data after all nodes restart.
Add 2 patches to fix this bug.
1. Revert commit f3cabbe to avoid reloading duplicate R when restarting MPC node.
2. Delete R from DB before signing.
The patches have been tested on the testnet, the duplicate R signatures bug is resolved.
To get involved and stay up to date:
* Join the Anyswap community: https://t.me/anyswap
* Follow Anyswap on: https://twitter.com/AnyswapNetwork
* Subscribe to the Anyswap: https://anyswap.medium.com/
* Send email to Anyswap: firstname.lastname@example.org