It was not clear that it is not possible to change min signers (i.e. the threshold) with the refresh share functionality (frost core::keys::refresh module). Using a smaller value would not decrease the threshold, and attempts to sign using a smaller threshold would fail. Additionally, after refreshing the shares with a smaller threshold, it would still be possible to sign with the original threshold; however, this could cause a security loss to the participant's shares. We have not determined the exact security implications of doing so and judged simpler to just validate min signers.

If for some reason you have done a refresh share procedure with a smaller min signers we strongly recommend migrating to a new key.

Updating to 2.2.0 will ensure that the min signers parameter will be validated. However it won't restore the security of groups refreshed with a smaller min signers parameters.

You don't need to update if you don't use the refresh share functionality, or if you didn't try to change the min signers parameter using the refresh share functionality.

Thank you BlockSec for reporting the finding