Leading digital asset infrastructure firm Fireblocks has warned about vulnerabilities that could expose over 15 widely-used crypto wallets to devastating breaches. Dubbed as BitForge, these vulnerabilities have raised alarms due to their potential to drain millions of cryptocurrency wallets, impacting retail and institutional customers.
Fireblocks’ announcement on August 9th highlighted that the vulnerabilities target wallets employing multi-party computation (MPC) technology. This technology enables multiple parties to collaborate in controlling and managing cryptocurrency holdings.
1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023
Crucially, the identified issues were categorized as “zero day” vulnerabilities, signifying that the affected projects had not previously detected these flaws. The implications of these vulnerabilities are profound, as Fireblocks outlined,
If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.
Fireblocks identified prominent players in the crypto wallet space, including Coinbase, Zengo, and Binance, as being impacted by BitForge vulnerabilities. However, per the industry standard “90-day disclosure period” set by Fireblocks, these companies swiftly resolved the issues.
Coinbase’s Chief Information Security Officer, Jeff Lunglhofer, expressed gratitude for Fireblocks’ responsible disclosure, assuring customers that their funds remain secure. Zengo’s Chief Technology Officer, Tal Be’ery, echoed the sentiment, underlining that user funds remain unaffected due to the swift resolution of the issue.
Fireblocks’ proactive stance didn’t stop with the initial revelation. The firm further stated that it had been actively identifying other potential security risks, reaching out to companies that might be susceptible to similar vulnerabilities. Even Binance, one of the largest crypto exchanges, acknowledged Fireblocks’ contribution, as CEO Changpeng Zhao emphasized that their swift actions prevented any potential damage.
This issue was present in the TSS Library Binance open-sourced, which has been fixed. Thanks to Fireblocks for uncovering it!
— CZ 🔶 Binance (@cz_binance) August 10, 2023
No @Binance user funds affected.
Even MPC custody solutions have risks. Stay #SAFU! 🙏 https://t.co/UneRs7VOj7
MPC wallets, renowned for bolstering security, employ encryption to safeguard a user’s private key, distributing it across various parties. Nonetheless, the BitForge vulnerabilities could have enabled hackers to access the complete private key by compromising a single device.
In response to these findings, Pavel Berengoltz, Fireblocks’ Chief Technology Officer and co-founder emphasized the need for industry players to collaborate with security experts to address vulnerabilities proactively. He remarked, “Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities”.
