Multichain’s anyswap/FastMulThreshold-DSA, a fork of bnb-chain/tss-lib, reduced the DLN proof iteration constant from the tss-lib default of 128 down to 1 in commit 4e543437c6, collapsing the soundness margin to a coin flip per attempt (source):
1// FILE: smpc-lib/crypto/ec2/ntildeZK.go — anyswap/FastMulThreshold-DSA @ 4e543437 (vulnerable)
2const (
3 // Iterations iter times
4 Iterations = 1
5)
Verichains demonstrated the TSSHOCK c-guess attack against this configuration. The adversary forges the two NtildeProofs offline by guessing the single challenge bit and retrying until Fiat-Shamir returns the guessed bit, then broadcasts the malicious $\tilde N, h_1, h_2$ package during key generation. Once those parameters are accepted, the adversary can recover the TSS private key from MtA range-proof leakage in the first signing ceremony.
The fix in commit 7727e4f833 restored the constant (source):
1// FILE: smpc-lib/crypto/ec2/ntildeZK.go — anyswap/FastMulThreshold-DSA @ 7727e4f8 (fixed)
2const (
3 // Iterations iter times
4 Iterations = 128
5)