How to get user's private key on the MPC Core Kit SDK

bruno1 · October 24, 2023, 6:56am

I’m a bit confused. In the docs, you say that when using the MPC Core Kit, you can’t reconstruct a user’s private key on the frontend but I’m seeing this code snipped on your React Firebase MPC CoreKit examples:

<button onClick={async () => uiConsole(await coreKitInstance._UNSAFE_exportTssKey())} className="card">
          [CAUTION] Export TSS Private Key
        </button>

When you click the button, you can then get a user’s private key that can then be exported from the application and imported somewhere else, like Metamask, where your account can be reconstructed. The method has been called _UNSAFE_exportTssKey(). So is there a way to safely export your TssKey? And why are users ,who haven’t even enabled MFA, able to get and reconstruct their private key in this manner?

vjgee · October 24, 2023, 11:44am

@bruno1 Thanks for your question.

Your request has been forwarded to our Dev team and we will get back with further updates.

pepper · October 27, 2023, 5:28am

Hi @bruno1
Originally user can’t get final private key if they use MPC core kit SDK.
But by using _UNSAFE_exportTssKey, user can get the final private Key.
This is not a usability we recommend, which is why we label it UNSAFE.

Here’s how it works under the hood.
the export function will create extra share, then reconstruct the final key
at the end of the function, it will delete the extra share
then return the final key.

That’s why users who haven’t even enabled MFA can still get private key.