Crypto infrastructure company Fireblocks has uncovered a set of vulnerabilities called “BitForge” that pose a threat to popular crypto wallets using multi-party computation (MPC) technology. These vulnerabilities were previously unknown to the developers of the affected software. Major companies such as Coinbase, ZenGo, and Binance have worked with Fireblocks to address and prevent potential exploits.
Fireblocks stated that these vulnerabilities could have allowed attackers to drain funds from the wallets of millions of retail and institutional customers within seconds, without the users or vendors being aware. To exploit these vulnerabilities, an attacker would typically need to compromise a wallet user’s device or gain access to the internal systems of the wallet service or a third-party custodian with access to the encrypted private key. The specific steps required depended on the wallet being used.
Fireblocks has also identified other teams that may be impacted and has reached out to them through the industry-standard 90-day responsible disclosure process. CEO Michael Shaulov believes that while the vulnerabilities could have been exploited, the complexity of the attacks makes it unlikely that malicious actors discovered them before Fireblocks disclosed them.
The BitForge vulnerabilities have raised concerns about the security of multi-party computation (MPC) wallets, which were designed to eliminate single points of failure by splitting a user’s private key across multiple parties. This includes the wallet user, the wallet provider, and a trusted third party. No single entity can unlock the wallet without assistance from the others. However, the BitForge vulnerabilities would have allowed a hacker to extract the full private key if they compromised just one device, undermining the multi-party aspect of MPC.
Related Post
Coinbase confirmed that its user-facing wallet service, Coinbase Wallet, was not affected. However, its Wallet-as-a-Service (WaaS) offering was technically vulnerable before the company implemented a fix. Coinbase stated that the vulnerabilities uncovered by Fireblocks would have been extremely difficult to exploit in its case, as it would require a malicious server within Coinbase’s infrastructure to trick users into initiating numerous authenticated signing requests. Jeff Lunglhofer, chief information security officer at Coinbase, emphasized the importance of maintaining a fully trustless cryptographic model in any MPC implementation.
Similarly, Binance CEO Changpeng Zhao disclosed that the issue was present in the TSS Library Binance had open-sourced, but the vulnerability has since been fixed.
The discovery of the BitForge vulnerabilities has highlighted the ongoing risks and challenges associated with securing crypto wallets. As the popularity of cryptocurrencies continues to grow, malicious actors are constantly seeking ways to exploit vulnerabilities for financial gain. It is crucial for companies in the crypto industry to have robust security measures in place and collaborate with experts like Fireblocks to proactively identify and address potential threats.
In conclusion, Fireblocks’ identification of the BitForge vulnerabilities serves as a reminder of the importance of rigorous security practices in the crypto industry. While vulnerabilities may arise, it is crucial for companies to promptly address and mitigate them to protect the funds and assets of their customers. With ongoing advancements in technology and the evolving threat landscape, constant vigilance and collaboration between industry players are essential to maintain the integrity and security of the crypto ecosystem.
