July 12, 2021: Anyswap in a Storm ⛈️💸

$8MM drained in Anyswap v3 weak signatures exploit

Exploits are back! I forget, are hacks a sign of bull or bear market?

The Anyswap network had become a popular low cost method for bridging tokens.

Curve Finance @CurveFinance

@DeFiWizard1 @FantomFDN Anyswap bridge should be as cheap as doing a token transfer

5:20 PM ∙ Jun 17, 2021

Anyswap v3 launched just over a month ago, offering innovative cross-chain liquidity pools. Unfortunately, a flaw in the new protocol was exploited over the weekend, and a hacker (0x0aE1554860E51844B61AE20823eF1268C3949f7C) drained $8MM across Ethereum, Fantom, and BSC. Users of v1 and v2 are not affected, and Anyswap announced v3 LPs would not incur any loss.

Anyswap @AnyswapNetwork

An exploit was detected in the new anyswap v3 prototype, all bridge funds used in v1/v2 are safe, a full post mortem will be released. Remedial action already in place for all exploited funds. LPs to v3 won't take any losses.

3:40 PM ∙ Jul 11, 2021

---

Anyswap @AnyswapNetwork

Anyswap Multichain Router V3 Exploit Statement All funds in the Anyswap V1/V2 bridges are safe. LPs to v3 won't take any losses. Please go 👇 to see the details: link.medium.com/00PMOaEgOhb

5:09 PM ∙ Jul 11, 2021

---

What exactly happened? Let’s talk about a different type of Curve than we usually discuss. Elliptic Curves!

People like to brag that cryptocurrency is “secured by math” but often don’t talk much about the actual math involved. Elliptic curves look like the funky horseshoe shape above and are easily calculated as the set of points satisfying a simple equation:

These curves have the nice property that any non-vertical line drawn between two points on the curve will intersect with, at most, one other point. This makes them useful to produce asymmetric key pairs.

Asymmetric key pairs have to be easy to generate but difficult to verify. The process of Elliptic Curve cryptography is to use two points to find the unique third point generated from this pair. Use the result to derive a few related points in a deterministic fashion. The process is iterated some n time to land at a final point. As it turns out, if you are given the first point and the final point, it’s mathematically difficult to calculate n, the number of trips you had to take to get between them. Yet it’s easy to verify — exactly what we need for asymmetric key pairs.

The process looks as follows, from Cloudflare’s more thorough explainer:

This is the guts of the ECDSA, the Elliptic Curve Digital Signature Algorithm. The specific steps are outlined as follows per Wikipedia:

Wikipedia goes on to note that “it is not only required for k to be secret, but it is also crucial to select different k for different signatures, otherwise the equation in step 6 can be solved for d_A, the private key. This method of attack was described as far back as 2012. If you happen to reuse k, it becomes easy to solve for the private key and directly drain the wallet.

banteg @bantg

Great talk about recovering private keys from weak ECDSA nonces. The authors have scanned over a billion signatures from Bitcoin and Ethereum and found a lot of peculiarities.

youtube.comBiased Nonce Sense Lattice attacks against weak ECDSA signatures in the wildPresentation by Nadia Heninger at Workshop on Attacks in Cryptography 2 (WAC2).

7:40 AM ∙ Jul 12, 2021

---

It just so happens Anyswap v3 committed exactly this mistake.

Taylor Monahan @tayvano_

Anyswap post-mortem: >Two transactions have the same R value signature. > Hacker deduced the private key to this MPC account in reverse 😮

Anyswap @AnyswapNetwork

Anyswap Multichain Router V3 Exploit Statement All funds in the Anyswap V1/V2 bridges are safe. LPs to v3 won't take any losses. Please go 👇 to see the details: https://t.co/VM6iC3O1TD

3:39 AM ∙ Jul 12, 2021

---

Taylor Monahan @tayvano_

@nicksdjohnson @bantg 1/ @kobigurk & @gakonst teach me stuff: 1. no nonce in BLS. beauty of BLS threshold sigs is you can combine them after one round and it's all deterministic 2. anyswap is using threshold ESDSA = still ECDSA = still needs nonce (sometimes being referred to as "r" or "k")

10:32 AM ∙ Jul 12, 2021

---

Anyswap quickly fixed their bug, although experts noted that this patch is itself a bit patchy.

nick.eth @nicksdjohnson

In case you were wondering if anyswap is safe now they've patched the bug, I present for your consideration, the patch:

github.comAvoid using duplicate R · anyswap/Anyswap-MPCNode@31f94ffContribute to anyswap/Anyswap-MPCNode development by creating an account on GitHub.

9:08 AM ∙ Jul 12, 2021

---

nick.eth @nicksdjohnson

Setting aside the fact that there's a much better, industry standard solution to this, their patch: - Fails catastrophically (exposing users to another hack) if you accidentally delete a file - ... or restore from an old backup - ... or move to a new server

9:29 AM ∙ Jul 12, 2021

The preferred solution would be a deterministic nonce.

banteg @bantg

@nicksdjohnson This is a ridiculous patch, the best practice is to use deterministic nonce generation by hashing (priv, msg)

9:18 AM ∙ Jul 12, 2021

---

Zhaojun @zhaojun_sh

@bantg @nicksdjohnson Anyswap MPC network use gg20 MPC algorithm, different from the deterministic nonce used by normal signature.

10:27 AM ∙ Jul 12, 2021

This simple solution may be scoffed at by British people, who recently took to sniggering at the common term nonce. It turns out that in their confusing dialect of “English” a nonce refers to nutters who fancy shagging sprogs. Blimey!

Christopher Bendiksen @C_Bendiksen

lol, I have lived in London for 8 years now, worked with #Bitcoin for four of those years, and I had *no idea* that nonce meant anything other than an arbitrary number that can be used just once. Gotta hand it to the brits for their ability to keep a straight face... Awkward 😅

2:50 PM ∙ Jul 5, 2021

---

Fortunately for all involved, the $8MM hack was relatively small and Anyswap alleges no LPs will lose funds in the incident. Nonetheless, it’s always disconcerting when old security holes are exploited. It’s almost as if we’re doomed to keep repeating the same mistakes over and over again…

The Defiant @DefiantNews

🦧Someone just aped in nearly $15M into @IronFinance V2 polygonscan.com/tx/0xcec9b4be6… @mcuban is that you?👀

polygonscan.comPolygon Transaction Hash (Txhash) Details | PolygonScanPolygon (MATIC) detailed transaction info for txhash 0xcec9b4be6890a09f36ad17602e0f7c4644af8536a71890a6d80e5789afac6aea. The transaction status, block confirmation, gas fee, MATIC, and token transfer are shown.

1:30 PM ∙ Jul 12, 2021

---

---

For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial or technical advice. Author is a $CRV maximalist, has no position in Anyswap and does not speak British.