Safeheron has recently released the Web3 Suite, which allows customers to securely interact with decentralized applications (dApps) through the Safeheron browser extension using Multi-Party Computation (MPC) and Trusted Execution Environment (TEE) technology. The Web3 Suite addresses the requirements of multi-party governance of assets.
As dApps come in various forms and have different security designs, Safeheron’s security team regularly reviews dApps that their clients interact with to ensure there are no potential security issues. During a recent review, the security team identified potential issues with certain authorization designs in some dApps.
It was discovered that in some scenarios, dApp authorization connections could bypass the security protection of private keys in hardware (cold) wallets, potentially granting access to core operation permissions without proper authorization through the hardware wallet.
Self-custodial wallets built with MPC typically do not allow the platform to control a user’s assets, only permitting asset transfers with user authorization to participate in MPC computations. However, when connecting MPC wallets to specific dApps, the principle of the platform not having control over user assets could be compromised, enabling the platform to control user assets in the dApp without user authorization. Customers may be able to circumvent established transaction policies, and employees who depart the organization may still access and operate the dApp.
Upon discovering these issues, the Safeheron security team immediately collaborated with the SlowMist security team to verify, confirm, and develop solutions, and the SharkTeam participated in issue verification as well. Safeheron disclosed this issue to potentially affected parties.
It has been verified that these issues do not impact the security of MPC wallets when managing funds and only pose potential security risks when interacting with specific dApps. Safeheron refers to these issues caused by similar mechanisms as Signature-derived Key Risk.
The dYdX protocol is an example of the need to enhance security in such dApps in specific scenarios and a solution to achieve this. dYdX is an exchange for margin trading, borrowing, and lending of digital assets. The exchange uses a deterministic random algorithm in ECDSA and distributed signing protocol in MPC-ECDSA protocol for key management.
In dYdX, there are three levels of authentication for private API: Ethereum Key Authentication, STARK Key Authentication, and API Key Authentication. dYdX’s sensitive operations, such as placing orders or transferring assets, require only STARK Key Authentication and API Key Authentication, eliminating the need for Ethereum Key Authentication.
dYdX’s UI and TypeScript and Python SDKs have implemented a key management method built on the EVM L1 wallet architecture, which aims to prevent the loss of the STARK Key and the API key. The same STARK Key and API key can be repeatedly derived using a fixed derivation algorithm as long as the L1 wallet private key is not lost.
To derive STARK Key and API key, dYdX’s core derivation logic uses the eth_signTypedData_v4 signing method of L1 ECDSA Signer to sign the message ‘dYdX STARK Key’ to obtain stark_key_signature. This step will require users to authorize the signature using their wallet. The same process is used to derive API key.
In summary, the Safeheron Web3 Suite with Multi-Party Computation and Trusted Execution Environment technology enhances security when interacting with dApps. Safeheron’s security team has identified potential security issues in certain authorization designs in some dApps and collaborated with the SlowMist security team to verify, confirm, and develop solutions. dYdX protocol is an example of the need to enhance security in such dApps in specific scenarios and a solution to achieve this.
Read more:
- Klaytn Plans To Burn 5.28 Billion KLAY To Rebalance Ecosystem Funds
- Klaytn Foundation Proposes Burning 48% Of Total Supply Of KLAY