The MtA “Bob-with-check”
range proof in bnb-chain/tss-lib involves a commitment $u = g^\alpha$ to the prover’s
randomness. Pre-fix, the FS hash omitted u
(source):
1// crypto/mta/proof.go — bnb-chain/tss-lib (pre-PR #43, vulnerable)
2// u is computed but NOT included in the challenge hash:
3eHash = common.SHA512_256i(
4 append(pk.AsInts(), X.X(), X.Y(), c1, c2, z, zPrm, t, v, w)...
5 // MISSING: u.X(), u.Y() — the EC commitment to the witness randomness
6)
Because $u$ is absent, the challenge $e$ is independent of the prover’s randomness commitment. A malicious party fixes a desired response, recomputes the challenge on values of its choosing, and solves for a consistent $u$ after the fact, forging a valid-looking proof without a witness.
The fix (PR #43) added u.X(), u.Y() to the hash input:
1// Fixed: u (the EC commitment to witness randomness) is now in the hash
2eHash = common.SHA512_256i(
3 append(pk.AsInts(), X.X(), X.Y(), c1, c2, u.X(), u.Y(), z, zPrm, t, v, w)...
4)