Numerous Crypto Wallets Affected by ‘BitForge’ Vulnerability Revealed by Fireblocks Researchers

Highlights:

• The researchers clarified that the BitForge vulnerability targets wallets that utilize specific multiparty computation protocols such as GG-18, GG-20, and Lindell 17.
• The Fireblocks security team conveyed that it conducted the research and informed more than 15 distinct digital asset wallet providers and projects about the vulnerability status throughout its investigation.

Fireblocks Inc., a digital asset infrastructure firm, has disclosed the identification of several zero-day vulnerabilities within cryptocurrency wallets. These unpatched security flaws could enable attackers or malicious entities to drain funds.

Recently, the researchers named these vulnerabilities “BitForge” and indicated that they impacted various wallet providers. Zengo Ltd., Coinbase Inc., and Binance Holdings Ltd. are a few of the affected companies. Following a responsible 90-day disclosure period, all three primary wallet manufacturers have implemented security enhancements to their wallets, effectively resolving the vulnerabilities.

The researchers clarified that the BitForge vulnerability targets wallets that utilize specific multiparty computation protocols such as GG-18, GG-20, and Lindell 17. This security measure plays a crucial role in digital asset transactions by allowing multiple parties to collectively authorize a transaction by dividing a single private key among them. This enhances the security of a crypto wallet, making hacking more challenging. Furthermore, it ensures that a single individual cannot access funds; the cooperation of multiple parties is necessary.

The GG-18 and GG-20 vulnerabilities enable attackers to extract the complete private key without necessary zero-knowledge proof. This loophole empowers attackers to control the wallet’s funds, facilitating potential drainage.

The vulnerability in Lindell 17 results from wallet providers deviating from the academic implementation, introducing a backdoor that enables attackers to uncover private key segments during failed signing attempts. This flaw allows attackers to gradually reconstruct the complete key after several unsuccessful signing attempts. Approximately 200 unsuccessful signature attempts are needed.

Pavel Berengoltz, Co-Founder and CTO of Fireblocks, stated, “As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident. While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal.”

The Fireblocks security team conveyed that it conducted the research and informed more than 15 distinct digital asset wallet providers and projects about the vulnerability status throughout its investigation. Additionally, the statement indicated that MPC wallets offered by Fireblocks remain unaffected, assuring customers that their funds remain secure and protected from potential attacks.

Changpeng Zhao, the CEO of Binance, the world’s largest cryptocurrency exchange regarding trading volume, acknowledged that the issue impacted the company’s wallet. However, he confirmed that the problem was promptly resolved following its identification by Fireblocks.  Zhao mentioned in a post, “This issue was present in the TSS Library Binance open-sourced, which has been fixed. No Binance user funds affected. Even MPC custody solutions have risks.”

Jeff Lunglhofer, the Chief Information Security Officer at Coinbase, expressed gratitude to Fireblocks for their responsible handling of the situation through disclosure. Lunglhofer commented, “While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology.”

Recognizing the widespread impact of BitForge on various wallets, the security team has introduced a dedicated BitForge Status Checker website. This platform is tailored for projects and businesses employing closed implementations, allowing them to evaluate their vulnerability status effectively.