Crypto infrastructure giant Fireblocks has publicly revealed security vulnerabilities in the technology used by over a dozen major digital asset wallet providers. If unaddressed, the company warned that attackers could exploit the bugs to steal from millions of customers. The Bitforge Exploits The set of vulnerabilities – collectively referred to as “Bitforge” – apply to popular multi-party-computation (MPC) protocols, including GG-18 , GG-20, and Lindell17. These protocols allow cryptocurrency to be controlled and managed by multiple individuals and groups. “The BitForge vulnerabilities, if left unremedied, would enable attackers to exploit a newly discovered flaw in the GG18 and GG20 protocols by exfiltrating the full private key due to a missing zero-knowledge proof,”
Topics:
Andrew Throuvalas considers the following as important: AA News, Hacking
This could be interesting, too:
Wayne Jones writes dYdX CEO Declares 35% Workforce Reduction
Chayanika Deka writes Former FTX’s Head of Engineering Nishad Singh Dodges Prison
Mandy Williams writes Aave Sees 0M Weekly Increase in cbBTC Inflows, But There’s a Catch
Wayne Jones writes MrBeast Linked to Over 50 Crypto Wallets Allegedly Involved in Insider Trading: Report
Crypto infrastructure giant Fireblocks has publicly revealed security vulnerabilities in the technology used by over a dozen major digital asset wallet providers.
If unaddressed, the company warned that attackers could exploit the bugs to steal from millions of customers.
The Bitforge Exploits
The set of vulnerabilities – collectively referred to as “Bitforge” – apply to popular multi-party-computation (MPC) protocols, including GG-18 , GG-20, and Lindell17. These protocols allow cryptocurrency to be controlled and managed by multiple individuals and groups.
“The BitForge vulnerabilities, if left unremedied, would enable attackers to exploit a newly discovered flaw in the GG18 and GG20 protocols by exfiltrating the full private key due to a missing zero-knowledge proof,” wrote Fireblocks in a statement on Wednesday.
The company stated that all vendors using the protocols “should be considered vulnerable.”
The Lindell17 vulnerability, it wrote, was due to wallet providers deviating from the academic paper, “creating a backdoor for attackers to expose part of the private key when signing fails.” The exploits have already been validated on major open-source implementations.
Coinbase and Binance Affected, But Funds Are Safe
In an accompanying press release, Fireblocks named popular providers including Coinbase WaaS, Zengo, and Binance as having been impacted by the vulnerabilities.
However, having been privately notified by the firm beforehand, Fireblocks said the prior three firms have already patched the issues, and the relevant academic papers have been appropriately revised.
“While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation,” said Jeff Lunglhofer, Chief Information Security Officer at Coinbase, regarding the patch.
Binance CEO Changpeng Zhao also clarified on Thursday that the exchange has patched the vulnerability and that no user funds had been affected.
https://twitter.com/cz_binance/status/1689556596332867584
In a statement, Fireblocks CTO Pavel Berengoltz wrote:
“While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal.”
The CTO noted that over $500 million were stolen in wallet thefts and attacks over the first half of 2023.