Trail of Bits
Audit Open Original ↗

NEAR One Confidential Key Derivation

Type

Security review

Client

NEAR One

Date

2025-12

Domain

Crypto

Effort

4 wks

Section

Cryptography Reviews

Trail of Bits's security review of NEAR One (Dec 2025) identified 15 issues: 2 high, 3 medium, 3 low, and 7 informational.

Findings · 15

  1. 1 CKD protocol allows a malicious coordinator to control the derived key High
  2. 2 CKD response handler lacks access controls High
  3. 3 The index function panics when the participant is not in the list Medium
  4. 4 AppId Borsh serialization function truncates the AppId bytes if the length is larger than u32::MAX Informational
  5. 5 The CKD coordinator hangs forever waiting for all participants Informational
  6. 6 Polynomial generation function can panic or create a constant polynomial when called with a large degree Low
  7. 7 Reliable broadcast indexes vectors to received indices Medium
  8. 8 Resharing with a new participant and threshold equal to one will always fail Medium
  9. 9 PolynomialCommitment deserialization function does not trim the coefficient list Informational
  10. 10 CKDRequestStorage::get treats any broadcast receive error as fatal Informational
  11. 11 Potential credential persistence in artifacts Informational
  12. 12 Unpinned external GitHub CI/CD action versions Low
  13. 13 Inconsistent handling of threshold in key refresh protocol Informational
  14. 14 Unpinned versions and potential credential persistence in nearcore GitHub workflows Low
  15. 15 CKD protocol relies solely on MPC node secrets Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related