Fireblocks has released a report titled, “BitGo Wallet Zero Proof Vulnerability: Technical Report.” Cryptography researchers at Fireblocks reportedly claim to have found an alarming vulnerability in competitor BitGo’s Threshold Signature Scheme (TSS) wallet software.
Addressing the issue, BitGo states to have released a patch in February 2023 to fix the vulnerability, per Fireblocks. Per BitGo, the concerned wallet type is in its infancy, made available only to 20 developers.
In its official response to Fireblocks, BitGo writes, The most recent blog posted by Fireblocks engineering team is a competitor trying to drum up unnecessary fear, turning a known gap into a publicity stunt during a time our industry should really be working together against headwinds.
The specific MPC wallet type in question is in early access and remains in early access, only unlocked for 20 developers.
Per the report, Fireblocks alleges the vulnerability allows the attacker to access the ECDSA (self-managed wallet) private key in its entirety from BitGo Ethereum TSS wallets. This can allegedly be done via a sole signature and some computation, without falling accountable to the security features placed by BitGo, per Fireblocks.
Competing with Fireblocks in the custody and wallet space, BitGo uses the TSS wallet type for multi-party computation (MPC) in targeting institutional clients. BitGo is reported to have initiated the required steps in December 2022 after knowing about the concerned vulnerability.
Fireblocks claims the vulnerability in question emanated from a required zero-knowledge (zk) proofs’ missing implementation in the TSS wallet protocol. This anomaly might have resulted in uncovering the private keys’ details of the users, giving access to users’ assets without their consent, per FireBlocks.
Fireblocks did not explicitly share any details on the loss of user assets due to the said vulnerability. But BitGo tends to criticize the initiative taken by Fireblocks, terming it to be a “publicity stunt” meant to instill fear among the users, thereby damaging BitGo’s reputation. BitGo states legal formalities are being sought against Fireblocks in regards to the baseless claims.
