[Security] Leading coefficient can be zero in shamir_secret_sharing.js (degree-drop vulnerability) (bounty program)

[rohanstake]

Vulnerability Report

Leading coefficient can be zero → effective threshold drops (degree-drop attack)

Affected code:
src/functions/shamir_secret_sharing.js (the exact file linked in the 2021 ZeroNights 1 BTC bounty)

Exact buggy code (still present today):

for (let b = 0; b < secret.length; b++) {
    let q = [secret[b]];                     // constant term = secret byte
    for (let i = 0; i < threshold - 1; i++) {
        do {
            w = nextRandomByteFromEntropy();
        } while (q.includes(w));
        q.push(w);                           // ← leading coefficient q[threshold-1] CAN BE 0
    }
    // then evaluate polynomial at share indices
}

The leading coefficient (q[threshold-1]) is never forced to be non-zero.
When it lands on 0, the polynomial collapses to a lower degree.
For the 3-of-5 challenge published in 2021 (t=3):

The polynomial becomes linear.
Any 2 shares are enough to recover that byte of the original secret.

This is exactly the same class of implementation flaw that previously broke:

Armory Wallet (2017)
HTC Exodus phone (2019)

Recommended one-line fix:
// after the loop that builds q
if (threshold > 1 && q[threshold-1] === 0) {
    q[threshold-1] = (q[threshold-1] + 1) % 256; // or regenerate
}

Bounty relevance
This directly matches the published rule:
0.1 BTC - Any bug in the implementation of the presented secret sharing scheme that can lead to loss of access and the inability to recover the original mnemonic phrase.