Common Multi-Party Computation Pitfalls
Welcome! This is a collection of common mistakes when implementing MPC protocols, to help developers and auditors implement MPC securely.
About the Project
At the RWMPC 2025 workshop, a group of practitioners agreed that the field needed a shared, living reference for the implementation mistakes that keep recurring. We present a guide to common multi-party computation pitfalls, maintained by contributors from zkSecurity, Trail of Bits, Partisia, and Zama. The guide currently covers six categories: input validation, context binding, concurrency and state, insecure subprotocols, failure recovery, and adaptive inputs. It also catalogs improper use of the cryptographic primitives that MPC protocols rely on, since even a well-designed scheme can fail when its building blocks are misused. Each entry walks through a pitfall, how it can go wrong, and how to avoid it, with examples drawn from real, deployed libraries like tss-lib, WSTS, MP-SPDZ, and Drand.
Contributors
- Mathias Hall-Andersen @rot256 zkSecurity
- Mike Junior Sinsoillier @jmnis zkSecurity
- Martin Ochoa @martin-ochoa zkSecurity
- Joop van de Pol @jvdprng Trail of Bits
- Anders Dalskov @anderspkd Partisia
- Tore Frederiksen @jot2re Zama
- Daniel Demmler @dd23 Zama
Main Project Page
The main project page contains source files, contribution details, and project metadata.
Links
Audit your MPC implementation with the auditing skill, or discuss and contribute on GitHub.