The MtA “Bob-with-check”
range proof in bnb-chain/tss-lib involves a commitment $u = g^\alpha$ to the prover’s
randomness. Pre-fix, the FS hash omitted u
(source):
1// crypto/mta/proofs.go — bnb-chain/tss-lib (pre-PR #43, vulnerable)
2// u is computed but NOT included in the challenge hash:
3eHash = common.SHA512_256i(
4 append(pk.AsInts(), X.X(), X.Y(), c1, c2, z, zPrm, t, v, w)...
5 // MISSING: u.X(), u.Y() — the EC commitment to the witness randomness
6)
Because $u$ is absent, the challenge $e$ is independent of the prover’s randomness commitment, so the proof is malleable: a malicious party can fix a desired response, recompute the challenge on values of its choosing, and in principle solve for a consistent $u$ after the fact, breaking the proof’s soundness.
The fix (PR #43) added u.X(), u.Y() to the hash input:
1// Fixed: u (the EC commitment to witness randomness) is now in the hash
2eHash = common.SHA512_256i(
3 append(pk.AsInts(), X.X(), X.Y(), c1, c2, u.X(), u.Y(), z, zPrm, t, v, w)...
4)