CVE-2022-47930

Name of the Vulnerable Software and Affected Versions tss-lib versions prior to 2.0.0

Description An issue was discovered in the tss-lib library, where the parameter ssid for defining a session id is not used through the MPC implementation. This makes replaying and spoofing of messages easier, as the Schnorr proof of knowledge implemented in sch.go does not utilize a session id, context, or random nonce in the generation of the challenge. This could allow a malicious user or an eavesdropper to replay a valid proof sent in the past.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider implementing additional security measures to prevent replay attacks, such as utilizing a session id, context, or random nonce in the generation of the challenge. Restrict access to the Schnorr proof of knowledge implementation in sch.go to minimize the risk of exploitation.