# Announcing mpcsec.org: What Goes Wrong When You Implement MPC

- **Authors**: ZK/SEC
- **Date**: May 25, 2026
- **Tags**: educative, security, MPC

![banner](https://blog.zksecurity.xyz/posts/mpc-pitfalls/banner.webp)

On May 15, 2026, [THORChain was hit by a targeted exploit that drained roughly $10.7M from one of its vaults](https://thorchain.org/blog/thorchain-exploit-report-1), the result of a flawed implementation of GG20, an MPC-based threshold signature scheme. Even when a scheme is theoretically sound, things can easily go wrong while implementing it. So, if you are implementing or auditing MPC, head over to [mpcsec.org](https://mpcsec.org).

#### What is mpcsec.org?

At the RWMPC 2025 workshop, a group of practitioners agreed that the field needed a shared, living reference for the implementation mistakes that keep recurring. That conversation grew into a collaborative project, and today we are happy to announce its first public release: [mpcsec.org](https://mpcsec.org), a guide to common multi-party computation pitfalls maintained with contributors from zkSecurity, Trail of Bits, Partisia, and Zama.

The guide currently covers six categories: **input validation**, **context binding**, **concurrency and state**, **insecure subprotocols**, **failure recovery**, and **adaptive inputs**. It also catalogs improper use of the cryptographic primitives that MPC protocols rely on, since even a well-designed scheme can fail when its building blocks are misused. Each entry walks through a pitfall, how it can go wrong, and how to avoid it, with examples drawn from real deployed libraries like tss-lib, WSTS, MP-SPDZ and Drand.

#### Auditing with AI assistance

mpcsec.org also ships with a [`SKILL.md`](https://mpcsec.org/skill.md) file to help guide LLM-assisted code reviews.

#### Your Feedback is Invaluable

We hope that this website becomes a reference. Tell us what you think. Share your suggestions, or any new MPC-related bugs, via [a PR](https://github.com/rot256/mpc-pitfalls).

#### Get in touch

If you would like an extra set of eyes on your MPC stack, reach out at  [hello@zksecurity.xyz](https://blog.zksecurity.xyz/posts/mpc-pitfalls/mailto:hello@zksecurity.xyz).

> [!Tip]
> Curious about how MPC techniques connect to zero-knowledge proofs? See our gentle introduction to [the MPC-in-the-Head transformation](https://blog.zksecurity.xyz/posts/mpcith-intro/).

---

This article was published on the [ZK/SEC Quarterly](https://blog.zksecurity.xyz) blog by [ZK Security](https://www.zksecurity.xyz), a leading security firm specialized in zero-knowledge proofs, MPC, FHE, and advanced cryptography. ZK Security has audited some of the most critical ZK systems in production, discovered vulnerabilities in major protocols including Aleo, Solana, and Halo2, and built open-source tools like [Clean](https://github.com/Verified-zkEVM/clean) for formally verified ZK circuits. For more articles, see the [full list of posts](https://blog.zksecurity.xyz/llms.txt).