CVE-2020-12118

The vulnerability exists in the key generation (keygen) protocol implementation of Binance tss-lib, a threshold signature scheme library. Prior to version 1.2.0, the protocol allowed an attacker to generate crafted h1 and h2 parameters during the distributed key generation process [1][2]. This stems from insufficient validation of the discrete logarithm proof (DLNProof) that is supposed to guarantee both parties share the same group modulo N [3].

An attacker who participates in the keygen protocol can supply malicious h1 and h2 values that pass the existing proof checks but do not actually satisfy the required group relationship [1]. No special network position is required beyond being a participant in the keygen; the attacker may be any party in the multi-party computation [2]. The flaw can be triggered without authentication bypass—the attacker simply follows the protocol steps but with crafted parameters.

Successful exploitation allows the attacker to compromise the integrity of subsequent signing rounds, potentially leading to signature forgery or the extraction of sensitive information about other parties' secret shares [2]. This undermines the security guarantees of the threshold signature scheme, which is designed to prevent any single participant from learning others' secrets or producing valid signatures alone.

The issue was addressed in version 1.2.0 of tss-lib, released on GitHub, which includes a corrected DLNProof implementation [1][4]. Users are advised to update to v1.2.0 or later. No workaround is available; updating the library is the only recommended mitigation.