A team of researchers at crypto infrastructure firm Fireblocks has disclosed a set of vulnerabilities that they say affect some of the most widely adopted multi-party computation (MPC) technology providers.
1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023
The researchers referred to the discovery as “BitForge,” describing the set of zero-day vulnerabilities as something that would have enabled an exploiter to exfiltrate the private keys of a user due to a missing zero-knowledge proof in MPC protocols GG-18 and GG-20.
Meanwhile, the vulnerability affecting the Lindell 17 protocol was a result of wallet providers moving away from specifications laid out in the academic paper, which created a backdoor for attackers to expose part of the private key when signing fails.
“The vulnerability enables full private key extraction, allowing attackers to steal all funds from the crypto wallet,” noted the Fireblocks researchers.
The term “zero-day” refers to previously undiscovered vulnerabilities, which developers essentially have zero days to fix.
These vulnerabilities affect more than 15 digital asset wallet providers, blockchains and other projects that rely on these MPC protocols, including Coinbase, ZenGo and Binance. These firms have since resolved the issues pertaining to BitForge after Fireblocks presented them with its documented findings.
“This is exactly what proactive security collaboration looks like. The issue was promptly addressed, and no user funds were affected,” said Tal Be’ery, chief technology officer at ZenGo.
Coinbase also acknowledged Fireblocks’ disclosure, noting that while its Coinbase Wallet consumer product was not impacted by the issue, previous versions of its Wallet as a Service solution used some of the libraries in question.
2/ Coinbase immediately released updated libraries in May to improve error handling, despite the lack of exploitability. This is part of our commitment to continuously improve and maintain the highest standards of security.
— Coinbase Cloud 🛡️ (@CoinbaseCloud) August 9, 2023