Blockchain security firm SlowMist has identified a vulnerability in a widely used JavaScript cryptographic library that could expose users’ private keys to attackers.
The security flaw affects the popular “elliptic” library that provides elliptic curve cryptography functions for several cryptocurrency wallets, identity systems, and Web3 applications.
According to SlowMist’s analysis, the vulnerability comes from the library’s flawed handling of non-standard inputs during signature operations. This flow can lead to repeated random numbers in ECDSA signatures. Since the security of these signatures depends entirely on the uniqueness of these random values, any repetition allows attackers to mathematically derive the private key.
Vulnerability allows private key extraction with minimal interaction
The reason for the flaw is in how the elliptic library generates what cryptographers call the “k value.” This is a random number that should never be reused across different signatures. SlowMist’s analysis reveals that attackers can craft specific inputs that trick the library into reusing this value. “When generating k, the private key and message are used as seeds to ensure uniqueness under different inputs,” explains SlowMist’s report.
This flaw creates a dangerous attack vector because it needs minimal interaction with victims. An attacker only needs to observe one legitimate signature and then trick the target into signing a specially crafted message. By comparing these two signatures, the attacker can mathematically derive the victim’s private key using a relatively simple formula.
Widespread adoption puts numerous Web3 applications at risk
The usage of the elliptic library by the JavaScript community makes the potential impact of the vulnerability greater. SlowMist indicates that the vulnerability is present in all versions up to 6.6.0 and affects applications using various elliptic curves.
Any application that does ECDSA signatures on externally supplied input is at risk. This could include cryptocurrency wallets, decentralized finance apps, NFT platforms, and Web3-based identity authentication apps.
The library utilization in the digital currency space comes with an attack surface. If the private key is compromised, the attackers then have full control over the corresponding assets. The hackers can perform unauthorized transfers, alter ownership records, or impersonate users in decentralized apps.
SlowMist has also posted some emergency suggestions for users and developers to mitigate the security threat. Developers should first of all update the elliptic library to version 6.6.1 or above since the vulnerability has been officially addressed in the most recent release.
Apart from refreshing the library, SlowMist recommends developers include further security precautions within their apps. For the affected app users, the biggest concern is whether their private keys might already be at risk. SlowMist recommends that users who have possibly signed malicious or unknown messages should take the precaution of replacing their private keys.
Phishing attacks subside as technical vulnerabilities take center stage
Although SlowMist’s find indicates threats from tech vulnerabilities, figures from Scam Sniffer indicate that conventional phishing attacks have dropped for three straight months. In February 2025, $5.32 million was lost by 7,442 victims. This represents a 48% drop from January’s $10.25 million and a 77% fall from December’s $23.58 million.
🧵 [1/4] 🚨 ScamSniffer February 2025 Phishing Report
February losses: $5.32M | 7,442 victims
January losses: $10.25M | 9,220 victims
(-48% MoM) pic.twitter.com/HsZZSlYKJC— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) March 5, 2025
While this downward trend is apparent, a number of attack vectors are still extremely potent. Permit allowance attacks where hackers create wallet addresses that are visually indistinguishable from legitimate ones, resulted in the highest single loss worth $771,000 in ETH.
Permit-based attacks were close behind with $611,000 in losses, followed by unrevoked phishing approvals on BSC worth $610,000 in embezzled funds. IncreaseApproval exploits completed the top attack vectors with losses worth $326,000 in ETH.
Cryptopolitan Academy: Coming Soon – A New Way to Earn Passive Income with DeFi in 2025. Learn More
