MPC (TSS) Private Key exposure

Help - Core-Kit MPC Core Kit SDK
1

When asking for help in this category, please make sure to provide the following details:

  • SDK Version: “@web3auth/mpc-core-kit”: “^3.2.4”
  • Platform: web

We currently use Web3Auth MPC in SSS form for user sign-up/sign-in. We want to extend this approach to users who log in with a “company” email (e.g., a maintainer who has temporary access to a company email for set up or perform maintenance tasks). However, we’ve identified an issue with the private key potentially being disclosed to these users.

To address this, we’re considering switching to the TSS scheme to limit private key exposure. While reviewing your example implementation (link, we noticed it allows exporting the private key via:

(await coreKitInstance.tKey._UNSAFE_exportTssKey({
  factorKey: coreKitInstance.state.factorKey,
  authSignatures: coreKitInstance.state.signatures,
})).toString("hex");

Additionally, we discovered that “resetting” an account—an option we previously used—also seems to be possible in TSS (based on this example).

We have a few questions:

  1. Is there a way to disable the ability to export the private key in a TSS-based approach?
  2. Is there a way to restrict or disable the “reset” functionality for TSS-based accounts?
  3. If an account is reset, is there a method to restore it? (For instance, could we provide users with a backup file to reinstate access?)

Thank you in advance for your assistance and guidance.

2

Hi Aleksey,

Thanks for reaching out and providing such detailed information. Let’s dive into your questions related to the MPC Core Kit SDK on the web platform.

  1. Disabling Private Key Export: Currently, in the TSS setup, there isn’t a built-in feature to completely disable the export of the private key. However, you can manage permissions and access at the application level by modifying your implementation to prevent export operations or restrict access to the functions performing exports.

  2. Restricting “Reset” Functionality: Similarly, disabling or restricting the “reset” functionality isn’t directly supported by the SDK. This would also need to be managed within your application logic by controlling access to the reset methods.

  3. Account Restoration: If a TSS-based account is reset, there isn’t an automatic restore method provided within the SDK. Implementing a backup and restore system, such as providing a backup file or mnemonic during setup, would be a custom solution. This process would rely on external security practices to ensure that users can securely store and use these backups for account recovery.

Your approach of switching to TSS to address private key exposure is sound, especially combined with implementing stricter controls in your application to manage access to sensitive functionalities.

If you have more questions or need further clarification, feel free to ask. We’re here to help!

Best regards.

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

3

Hello! Could you please confirm whether there’s truly no way to restrict private key export in a TSS-based setup? It’s quite important for our product.

4

Sorry for the late reply.
we could wrap the sdk so that the export function is restricted.
but that is only on the sdk level.
Just to add on some information on how the export function works.
it will undergo a refresh share so that 2 shares is available on the frontend before the reconstruction of the final tss key.

We are working on authorization webhook which our client could deny refresh new share or signing suspicious transaction if the token is not valid. But it is only coming 2nd half this year