The THORchain $10.8M is gone - let's protect the next protocol or wallet. Here is a short list of ECDSA TSS protocols and libraries that should not be in production right now. The list exists. The deprecations are documented publicly, please follow them:

You’re right. It’s not a casino and it loses people’s money. 2019-2020: Multiple treasury grabs by insiders (both known and unknown, both DPRK and not DPRK) June 2021: $200k Asset name parsing July 2021: $5m Bifrost Override handler July 2021: $8m Fake deposit exploit July 2021: $2m literally again the same shit bc you can’t fix your fucking shit July 2021: mid 6 figs in phishing thefts on top of it lmaooooooo 2023: tsshock but too lazy to patch 2024: $100m-$200m Thorfi Rugpull 2025: $3m JP key compromises (btw some of his prod keys still aren’t rotated you motherfucking retards) 2026: $11m TSS/unknown Personally, if I must lose my money, I prefer to lose it to a casino. A casino is also more honest about its core properties and ambitions.

The biggest thing Im struggling with rn is not the theoretical attack flows. It’s literally the sheer number of variables and tracking what people are supposed to have vs absolutely cannot have. Keygen reveals X^y Round 1 reveals y mod q On and on and on Ultimately you’re trying to solve for 1 parameter in a long equation. But also it could be any number of parameters bc, again, so many different parameters and combinations of parameters and being shared and you can solve equations in many many ways. Some shit happens during keygen, some during signing, and even more during aborts/blames (when signing fails at some point in the 7 fucking rounds) And on top of it, since you’re a malicious attacker, you can craft your own parameters. You can even change them over time. Which will then result in different outputs being returned. Which leaks information. All of which would allow the equation to be solved. And thus you, the attacker, being able to derive the underlying ECDSA key that shouldn’t exist. One example:

For some unknown reason I was under the impression that the TSS stack of vulns were in the same sorta class as other cryptography vulns. It’s honestly a completely different beast and I’m struggling to understand how anyone figured this would ever be secure enough lol?