Headline
GHSA-2ff4-xfpr-m32r: `Slip10Like` derivation method instantiated with certain curves may allow attacker to find derivation path which results into very long derivation (possible DoS)
Impact
<!-- What kind of vulnerability is it? Who is impacted? -->
Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1.
hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It’s based on slip10 method that searches for a valid child key in an infinite loop until it’s found.
Theoretically, this could be exploited by an attacker by finding a derivation path that would force someone to execute a lot of iterations of this loop to find a valid child key. This attack, however, requires the probability of getting an invalid scalar from random 32 bytes to be high. Slip10 is protected from this attack as it’s only defined on secp256k1 and secp256r1 curves, for which such probability is very low:
- For secp256k1, probability is $< 2^{-127}$. This means that a loop with 2 or more iterations is vanishingly impossible.
- For secp256r1, probability is $< 2^{-32}$. This means that a loop with 5 or more iterations is vanishingly impossible.
While standard curves are safe to use with slip10, we used to allow slip10-like derivation which can be instantiated with any curve. For instance, one could instantiate it with ed25519 or stark curves, for which probability of getting invalid scalar from random 32 bytes is >90%, so theoretically, attacker could try to DoS such construction.
Patches
<!-- Has the problem been patched? What versions should users upgrade to? -->
hd_wallet v0.6.0 has been patched by removing slip10-like derivation from public API.
If you need HD derivation on other curves than secp256k1 and secp256r1, we suggest you to use:
hd_wallet::Edwardsderivation method available for ed25519 curvehd_wallet::Starkderivation method available for stark curve
Both derivation methods are non-standard, but secure and efficient.
If you’re still using slip_10 and would like to migrate to patched version, please migrate to hd_wallet v0.6. You may first migrate from slip_10 v0.4 to hd_wallet v0.5 by following migration instructions available in the docs, and then upgrade from hd_wallet v0.5 to hd_wallet v0.6.
Workarounds
Technically, you don’t need to upgrade if you don’t use slip10-like derivation instantiated with other curves than secp256k1 or secp256r1.
However, if you do, migrating to other derivation method might be required.
Reach out to us in Discord
If you want to reach out to us, feel free to write to #lockness room in Discord
Credits
Thanks to Alessio Marziali [email protected] for discovering and flagging this issue
Impact
Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1.
hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It’s based on slip10 method that searches for a valid child key in an infinite loop until it’s found.
Theoretically, this could be exploited by an attacker by finding a derivation path that would force someone to execute a lot of iterations of this loop to find a valid child key. This attack, however, requires the probability of getting an invalid scalar from random 32 bytes to be high. Slip10 is protected from this attack as it’s only defined on secp256k1 and secp256r1 curves, for which such probability is very low:
- For secp256k1, probability is $< 2^{-127}$. This means that a loop with 2 or more iterations is vanishingly impossible.
- For secp256r1, probability is $< 2^{-32}$. This means that a loop with 5 or more iterations is vanishingly impossible.
While standard curves are safe to use with slip10, we used to allow slip10-like derivation which can be instantiated with any curve. For instance, one could instantiate it with ed25519 or stark curves, for which probability of getting invalid scalar from random 32 bytes is >90%, so theoretically, attacker could try to DoS such construction.
Patches
hd_wallet v0.6.0 has been patched by removing slip10-like derivation from public API.
If you need HD derivation on other curves than secp256k1 and secp256r1, we suggest you to use:
- hd_wallet::Edwards derivation method available for ed25519 curve
- hd_wallet::Stark derivation method available for stark curve
Both derivation methods are non-standard, but secure and efficient.
If you’re still using slip_10 and would like to migrate to patched version, please migrate to hd_wallet v0.6. You may first migrate from slip_10 v0.4 to hd_wallet v0.5 by following migration instructions available in the docs, and then upgrade from hd_wallet v0.5 to hd_wallet v0.6.
Workarounds
Technically, you don’t need to upgrade if you don’t use slip10-like derivation instantiated with other curves than secp256k1 or secp256r1.
However, if you do, migrating to other derivation method might be required.
Reach out to us in Discord
If you want to reach out to us, feel free to write to #lockness room in Discord
Credits
Thanks to Alessio Marziali [email protected] for discovering and flagging this issue
References
- GHSA-2ff4-xfpr-m32r
- LFDT-Lockness/hd-wallet@a7e3770