Fireblocks, a digital assets security company, has disclosed vulnerabilities affecting several cryptocurrency wallets, collectively named “Bitforge.” Through these vulnerabilities, criminals could steal millions in cryptocurrency without having direct contact with the owners of the wallet or its providers. While some providers have already applied patches, others are still vulnerable.
Bitforge Vulnerabilities Disclosed
Fireblocks, a cryptocurrency assets security and consulting company, has publicly disclosed Bitforge is facing a set of wallet vulnerabilities potentially affecting millions of customers. While the Fireblocks team discovered these issues back in May, it just announced their existence in a presentation titled “Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Leading Crypto Wallets” as part of the Blackhat 2023 conference.
These vulnerabilities attack the Multi-Party Computation (MPC) algorithms of several vendors. The first vulnerability is related to GG18 and GG20, two protocols qualified by Fireblocks as “pioneering for the MPC wallet industry” and “widely adopted by companies in the space.”
The exploit allows criminals to exfiltrate the private key and take control of the cryptocurrency in the attacked wallet. Fireblocks also presented a proof-of-concept for this attack.
Similarly, the second vulnerability deals with Lindell17, a signing protocol. Fireblocks states this exploit “originates from Lindell17 implementations deviating from the specification of the academic paper and ignoring or mishandling aborts in case of failed signatures.”
This vulnerability was discovered in the Zengo wallet and later confirmed to work against Coinbase Wallet as a Service (WAAS), as in open-source protocol implementations. Zengo and Coinbase have already patched their wallets to deal with this exploit.
Jeff Lunglhofer, Chief Information Security Officer at Coinbase, thanked Fireblocks for the timely disclosure, telling Bleeping Computer that “while Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation.”
Vulnerability Checker
Due to the number of wallets potentially affected by this set of vulnerabilities, Fireblocks has built a utility to allow wallet providers and users to check if their wallets can be exploited using these vulnerabilities.
At the time, only Coinbase and Zengo are listed as secure against the Lindell17 exploit. Fireblocks explained that not all wallet providers are shown because “it’s part of the DNA of the industry to work together to be stronger out of the public eye rather than calling companies out publicly and harming their credibility.”
What do you think about the Bitforge set of wallet exploits? Tell us in the comments section below.