Pedersen DKG Denial of Service Vulnerability in FROST Distributed Key Generation Successfully Remediated

On January 3, 2024, Trail of Bits reached out to us to raise a denial-of-service vulnerability that affects different implementations of distributed key generation (DKG) protocols. Our FROST implementation was among those impacted.

This denial-of-service vulnerability introduced the possibility of an attack being carried out as follows: During the DKG run, a malicious participant can generate a random polynomial with a larger number of coefficients than required. In practice, this makes the key shares generated by the protocol have a threshold that is higher than intended. For example, when generating key shares with a threshold of 2, an attacker could silently increase that value to e.g. 3. Thus, two participants would never be able to successfully generate signatures since three or more would be required. Additionally, if the attacker increases the threshold to a number higher than the number of shares, then it would be totally impossible to generate valid signatures. In the Zcash context, this could mean that deposits made into a freshly-generated FROST wallet could become unspendable, leading to loss of funds.

We do agree that this is a confirmed and important vulnerability, which has been successfully remediated by adding a simple check to make sure the polynomials generated have the correct number of coefficients. This fix is included in the recently published 1.0.0 stable release of our FROST implementation. We are not aware of any production-ready FROST Zcash deployments using our software, so no user funds should be at risk.

We thank Trail of Bits for identifying the issue, providing a test case showing our crate was vulnerable and coordinating its disclosure.