In December 2022, the cryptography research team Fireblocks identified a critical vulnerability in BitGo’s cryptocurrency wallet that could have exposed the private keys of both retail and institutional users. After being notified of the flaw by Fireblocks, BitGo immediately patched the security issue and protected its customers’ assets. This vulnerability was related to BitGo Threshold Signature Scheme (TSS) wallets and could potentially expose the private keys of exchanges, banks, businesses, and individuals using the platform. Fortunately, BitGo’s swift response quickly patched the vulnerability, and no users were affected.
On December 10, the Fireblocks team uncovered a vulnerability in BitGo’s ECDSA TSS wallet protocol dubbed the ‘BitGo Zero Proof Vulnerability.’ With just a few lines of JavaScript code, attackers could have extracted a private key in under one minute. To mitigate the security risk, BitGo issued a patch on February 2023 and required its clients to update their software to the latest version by March 17. In addition, Fireblocks disclosed that they identified the exploit using a free BitGo account on the mainnet, as it lacked mandatory zero-knowledge proofs, which allowed them to expose the private key through a simple attack.
Employing industry-standard enterprise-grade cryptocurrency asset platforms with either multiparty-computation (MPC/TSS) or multi-signature technology reduces the risk of a single point of attack. This is achieved by splitting the private key into different parts and distributing them between multiple parties. Fireblocks demonstrated that internal or external attackers could access a full private key through two different methods: First, a malicious actor could exploit a user’s compromised client side to initiate a transaction and acquire a portion of the private key held in BitGo’s system. If successful, BitGo would perform the signing computation and inadvertently leak its own key shard. The attacker could then reconstruct the full private key, load it into an external wallet and withdraw funds subsequently.
The second scenario considered an attack if BitGo was compromised, where attackers wait for customers to initiate a transaction before sending them malicious values used to sign the transaction with the customer’s key shard. This allows the attacker to reveal the user’s key shard and combine it with BitGo’s own to gain control of the wallet.
In August 2022, over $8 million was stolen from over 7,000 Solana-based Slope wallets, and more than $9 million was drained from various high-profile MyAlgo wallet users on the Algorand network. Despite no attacks by the identified vector, Fireblocks warned users to consider creating new wallets and moving funds from ECDSA TSS BitGo wallets before the patch, as wallet hacks have become increasingly rampant in the cryptocurrency industry.