A team of researchers at crypto infrastructure firm Fireblocks has disclosed a set of vulnerabilities affecting over 15 leading digital asset wallet providers that could result in millions of crypto wallets being drained.
On August 10, Fireblocks took to X to disclose the series of vulnerabilities, referred to as “BitForge” targeting some of the most widely adopted multi-party computation (MPC) technology providers. MPC is a cryptographic protocol that allows multiple parties to perform computations on their data without revealing it to each other or a third party.
1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023
Fireblocks Points Out Massive Vulnerabilities
According to an official press release, the major security issues that have been categorized as “zero day” vulnerabilities could affect some of the most used cryptographic MPC protocols, including GG-18, GG-20, and implementations of Lindell 17.
BitForge could enable an exploiter to exfiltrate the private keys of a user due to a missing zero-knowledge proof in MPC protocols GG-18 and GG-20. Meanwhile, the vulnerability affecting the Lindell 17 protocol was a result of wallet providers moving away from specifications laid out in the academic paper, which created a backdoor for attackers to expose part of the private key when signing fails.
Furthermore, Fireblocks highlighted the vulnerabilities that would have allowed hackers to “extract the full private key if they were able to compromise only one device.” The cryptocurrency infrastructure firm noted the BitForge vulnerability has already impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance with more than 12 others still at risk.
Wallet Providers Take Active Measures to Fix BitForge
However, following an industry-standard “90-day disclosure period” from Fireblocks, Coinbase, Zengo, and Binance have since fixed and resolved the identified issues.
Aside from the three firms, Fireblocks specified that numerous other wallet providers are also known to be impacted by the BitForge vulnerability, adding,
“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.”
1/ We prioritize the security of our users above all else. Recently, an error handling flaw was discovered in a few Multi-Party Computation (MPC) libraries. Due to safeguards we implemented in the MPC protocol, there was no practically exploitable vulnerability in our services.
— Coinbase Cloud 🛡️ (@CoinbaseCloud) August 9, 2023
In response to the disclosure of the issue, Coinbase acknowledged, stating that while its Coinbase Wallet consumer product was not impacted by the issue, previous versions of its Wallet as a Service solution used some of the libraries in question. Jeff Lunglhofer, Chief Information Security Officer at Coinbase said,
“We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation.”
All that Glitters is not Gold
Touted for their enhanced security, MPC wallets enable multiple parties to assess a computation without revealing any private information or related secret data held by each party. It is a technology that offers a solution to the issue of data sharing, helping to create a new online atmosphere where parties can access certain types of data without compromising the safety of other persons’ information or their own.
Although this makes it an ideal solution for processing highly sensitive information, this technology faced a massive security breach earlier this year, with the widely used Multichain MPC bridge hacked on July 7, causing investors to lose over $100 million.
In addition, MPC wallets can be more complex to use compared to other types of wallets. Other limitations of using MPC wallets include computational overhead and high communication costs.