Fireblocks warns most popular crypto wallets are exposed to BitForge

Rick Steves

Dubbed BitForge, the series of vulnerabilities had impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance. Of these three, only Binance hasn’t fixed and resolved the identified issues following the industry-standard 90-day responsible disclosure process, said Fireblocks. 

The cryptography research team of Fireblocks, the leading infrastructure for moving, storing, and issuing digital assets, has found multiple zero-day vulnerabilities in some of the most used cryptographic multi-party computation (MPC) protocols, including GG-18, GG-20, and implementations of Lindell 17.

If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor, the research team warned.

Binance hasn’t fixed and resolved issues, says Fireblocks

Dubbed BitForge, the series of vulnerabilities had impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance. Of these three, only Binance hasn’t fixed and resolved the identified issues following the industry-standard 90-day responsible disclosure process, said Fireblocks.

Of the wallet providers Fireblocks’ research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected.

Aside from Coinbase WaaS, Zengo, and Binance, dozens of other wallet providers are also known to be impacted by the BitForge vulnerability. Therefore, Fireblocks has published the BitForge Status Checker so that projects can find out if they might be exposed to an impacted MPC implementation.

Fireblocks uses MPC-CMP and MPC-CMPGG protocols

Fireblocks’ MPC-CMP and MPC-CMPGG protocols are not affected by the BitForge vulnerabilities as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes.

The company also adopts a multi-layer security approach by combining hardware security and MPC to reduce the attack surface and the feasibility of real-world exploits.

Fireblocks enables exchanges, lending desks, custodians, banks, trading desks, and hedge funds to securely scale digital asset operations through the Fireblocks Network and MPC-based Wallet Infrastructure.

Coinbase and Zengo thank Fireblocks for the warning

Pavel Berengoltz, Co-founder & Chief Technology Officer at Fireblocks, said: “As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident. While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal. Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023.”

Jeff Lunglhofer, Chief Information Security Officer at Coinbase, commented: “We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology.”

Tal Be’ery, Chief Technology Officer & Co-founder at Zengo, added: “We’d like to thank the Fireblocks team for their responsible disclosure: This is exactly what proactive security collaboration looks like. The issue was promptly addressed and no user funds were affected. This highlights the power of our open-source MPC cryptographic libraries and we look forward to continuing to contribute to strengthening the cryptographic security of the entire ecosystem.”


Read this next

Digital Assets

Coinbase nears deal to buy FTX Europe, lured by its derivatives business

Coinbase is reportedly in the final stages of negotiations to acquire FTX Europe, signaling its intent to expand in regions with well-defined cryptocurrency regulations.

Digital Assets

MicroStrategy buys more bitcoins as crypto bet loses +$600M

MicroStrategy has purchased another 5,445 bitcoins for approximately $147.3 million in cash, adding to its massive cryptocurrency holdings during a sharp drop in the price.

Digital Assets

TYRION Set To Decentralize The $377B Digital Advertising Industry

TYRION, a groundbreaking player in decentralized digital advertising, has launched its innovative blockchain-based platform aimed at disrupting an industry long dominated by centralized tech giants, by addressing issues like lack of transparency, data privacy, and declining ROI, while also offering features like social platform integration, robust analytics, and a deflationary mechanism for its native $TYRION token.

Institutional FX

TD Bank sells TD Cowen’s $1.3B business to Marex

London-headquartered commodities broker Marex has agreed to acquire TD Cowen’s prime brokerage and outsourced trading business, which will be integrated into Marex’s capital market division. This division was established following the acquisition of ED&F Man Capital Markets in 2022.

Retail FX

ThinkMarkets reports flat revenues, lower profit for FY2022

The UK business of Melbourne-based broker, ThinkMarkets, today reported its financial results for the fiscal year ending December 31, 2022. The multi-asset platform, trading in the UK as TF Global Markets UK, had seen mixed results in a couple of key areas over a yearly basis.

Institutional FX

Finalto named ‘Best CFD Liquidity Provider’ at Ultimate Fintech Awards Global 2023

“This recognition is a testament to our commitment to providing exceptional liquidity services, innovative solutions, and outstanding customer support. We would like to express our sincere gratitude to our clients and partners for their trust and support. We will continue our efforts and look forward to delivering even greater value to our clients in the future.”

Digital Assets

New Cryptocurrency Meme Kombat ($MK) Launches Public Token Presale, Staking Platform

Meme Kombat, a new gaming platform blending the allure of internet memes with competitive battle arenas, has announced that the presale for its native $MK token is now live, offering a high APY of 112% and creating significant buzz in the crypto and Web3 communities.

Digital Assets

Hydranet Launches Layer 3 DEX: A Game Changer for Trustless Cross-Chain Trading

Hydranet has unveiled its groundbreaking Layer 3 trading platform, Hydranet DEX, that allows for near-instant, low-fee, and trustless cross-chain trading between Bitcoin and Ethereum ecosystems, marking a significant milestone in the project’s development journey.

Digital Assets

Coinbase gets nod to launch crypto services in Spain

Coinbase has scored Anti-Money Laundering (AML) compliance registration with Spain’s central bank as part of its continued expansion efforts in Europe.