Fireblocks discovers ‘BitForge’ vulnerabilities threatening major MPC wallets

Fireblocks discovers 'BitForge' vulnerabilities threatening major MPC wallets

BitForge Vulnerability: A Threat to the Blockchain Industry

Source: AdobeStock / Sergey Nivens

The blockchain industry, despite its inherent security measures, is not immune to vulnerabilities. Recently, crypto infrastructure company Fireblocks discovered a set of vulnerabilities known as “BitForge” that poses a threat to popular crypto wallets that utilize multi-party computation (MPC) technology. These vulnerabilities, classified as “zero-day” due to their unknown nature to developers, have raised concerns among major companies such as Coinbase, ZenGo, and Binance.

Understanding BitForge Vulnerabilities

MPC technology is an essential component of crypto wallets, designed to eliminate single points of failure by dividing a user’s private key across multiple parties, including the wallet user, the wallet provider, and a trusted third party. The intention is to create a system where no single entity can unlock the wallet without help from others. However, the BitForge vulnerabilities undermine the multi-party aspect of MPC, compromising the security of these wallets.

To exploit these vulnerabilities, an attacker would typically need to compromise a user’s device or gain unauthorized access to the internal systems of the wallet service or a third-party custodian. The specific steps required depend on the wallet being used. The complexity of these attacks makes it unlikely that malicious actors discovered them before Fireblocks disclosed the vulnerabilities.

Impacted Companies and Response

Fireblocks has collaborated with major companies within the blockchain industry, including Coinbase, ZenGo, and Binance, to address the BitForge vulnerabilities promptly. If left unpatched, these vulnerabilities could have allowed attackers to drain funds from the wallets of millions of retail and institutional customers in seconds, without the user or vendor being aware.

In response to Fireblocks’ discovery, Coinbase confirmed that its user-facing wallet service, Coinbase Wallet, remained unaffected, while its Wallet-as-a-Service (WaaS) offering was technically vulnerable before implementing a fix. Coinbase emphasized the difficulty of exploiting the vulnerabilities in its case, requiring a malicious server within Coinbase’s infrastructure to deceive users into initiating numerous authenticated signing requests. The company acknowledged the importance of maintaining a fully trustless cryptographic model in any MPC implementation.

Likewise, Binance CEO Changpeng Zhao revealed that the BitForge vulnerabilities were present in the TSS Library Binance open-sourced. However, the issue has been promptly fixed to ensure the security of their users’ wallets.

The Safety of MPC Wallets

While the BitForge vulnerabilities have been patched in major wallets, this incident raises concerns about the safety of supposedly ultra-safe MPC wallets. The initial intention behind MPC technology was to enhance security by eliminating single points of failure. However, the discovery of these vulnerabilities highlights the importance of ongoing vigilance and continuous improvements to ensure the utmost security in the blockchain industry.

Ultimately, the BitForge vulnerabilities serve as a reminder that even the most advanced security measures can have weaknesses. In response to this incident, Fireblocks has effectively engaged in industry-standard responsible disclosure, reaching out to other potentially impacted teams to ensure their awareness and the implementation of necessary fixes.

The blockchain industry must remain proactive in identifying and addressing vulnerabilities promptly. Continuous collaboration and information sharing among industry players, as demonstrated by Fireblocks, are crucial to strengthening the overall security posture of the blockchain ecosystem.

Conclusion

The BitForge vulnerabilities uncovered by Fireblocks have shed light on the potential threats that can undermine the security of MPC wallets in the blockchain industry. By promptly working with affected companies and actively engaging in responsible disclosure, Fireblocks has taken important steps to mitigate the risks associated with these vulnerabilities.

This incident serves as an important reminder that security measures within the blockchain industry must constantly evolve to stay ahead of potential threats. The collaboration among companies and the implementation of fixes demonstrate the industry’s commitment to bolstering security and ensuring the safety of customers’ funds in the ever-evolving digital landscape.

We will continue to update Phone&Auto; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more