Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yZmY0LXhmcHItbTMycs4ABCjM

`Slip10Like` derivation method instantiated with certain curves may allow attacker to find derivation path which results into very long derivation (possible DoS)

Impact

Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1.

hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It's based on slip10 method that searches for a valid child key in an infinite loop until it's found.

Theoretically, this could be exploited by an attacker by finding a derivation path that would force someone to execute a lot of iterations of this loop to find a valid child key. This attack, however, requires the probability of getting an invalid scalar from random 32 bytes to be high. Slip10 is protected from this attack as it's only defined on secp256k1 and secp256r1 curves, for which such probability is very low:

• For secp256k1, probability is $< 2^{-127}$. This means that a loop with 2 or more iterations is vanishingly impossible.
• For secp256r1, probability is $< 2^{-32}$. This means that a loop with 5 or more iterations is vanishingly impossible.

While standard curves are safe to use with slip10, we used to allow slip10-like derivation which can be instantiated with any curve. For instance, one could instantiate it with ed25519 or stark curves, for which probability of getting invalid scalar from random 32 bytes is >90%, so theoretically, attacker could try to DoS such construction.

Patches

hd_wallet v0.6.0 has been patched by removing slip10-like derivation from public API.

If you need HD derivation on other curves than secp256k1 and secp256r1, we suggest you to use:

• hd_wallet::Edwards derivation method available for ed25519 curve
• hd_wallet::Stark derivation method available for stark curve

Both derivation methods are non-standard, but secure and efficient.

If you're still using slip_10 and would like to migrate to patched version, please migrate to hd_wallet v0.6. You may first migrate from slip_10 v0.4 to hd_wallet v0.5 by following migration instructions available in the docs, and then upgrade from hd_wallet v0.5 to hd_wallet v0.6.

Workarounds

Technically, you don't need to upgrade if you don't use slip10-like derivation instantiated with other curves than secp256k1 or secp256r1.

However, if you do, migrating to other derivation method might be required.

Reach out to us in Discord

If you want to reach out to us, feel free to write to #lockness room in Discord

Credits

Thanks to Alessio Marziali [email protected] for discovering and flagging this issue

Permalink: https://github.com/advisories/GHSA-2ff4-xfpr-m32r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZmY0LXhmcHItbTMycs4ABCjM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 days ago
Updated: 10 days ago

Identifiers: GHSA-2ff4-xfpr-m32r
References:

• https://github.com/LFDT-Lockness/hd-wallet/security/advisories/GHSA-2ff4-xfpr-m32r
• https://github.com/LFDT-Lockness/hd-wallet/commit/a7e37704600ee7c737dbb02db08814dd2d15389d
• https://github.com/advisories/GHSA-2ff4-xfpr-m32r

Repository: https://github.com/LFDT-Lockness/hd-wallet
Blast Radius: 1.0

Affected Packages