Fireblocks warns most popular crypto wallets are exposed to BitForge

The cryptography research team of Fireblocks, the leading infrastructure for moving, storing, and issuing digital assets, has found multiple zero-day vulnerabilities in some of the most used cryptographic multi-party computation (MPC) protocols, including GG-18, GG-20, and implementations of Lindell 17.

If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor, the research team warned.

Binance hasn’t fixed and resolved issues, says Fireblocks

Dubbed BitForge, the series of vulnerabilities had impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance. Of these three, only Binance hasn’t fixed and resolved the identified issues following the industry-standard 90-day responsible disclosure process, said Fireblocks.

Of the wallet providers Fireblocks’ research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected.

Aside from Coinbase WaaS, Zengo, and Binance, dozens of other wallet providers are also known to be impacted by the BitForge vulnerability. Therefore, Fireblocks has published the BitForge Status Checker so that projects can find out if they might be exposed to an impacted MPC implementation.

Fireblocks uses MPC-CMP and MPC-CMPGG protocols

Fireblocks’ MPC-CMP and MPC-CMPGG protocols are not affected by the BitForge vulnerabilities as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes.

The company also adopts a multi-layer security approach by combining hardware security and MPC to reduce the attack surface and the feasibility of real-world exploits.

Fireblocks enables exchanges, lending desks, custodians, banks, trading desks, and hedge funds to securely scale digital asset operations through the Fireblocks Network and MPC-based Wallet Infrastructure.

Coinbase and Zengo thank Fireblocks for the warning

Pavel Berengoltz, Co-founder & Chief Technology Officer at Fireblocks, said: “As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident. While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal. Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023.”

Jeff Lunglhofer, Chief Information Security Officer at Coinbase, commented: “We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology.”

Tal Be’ery, Chief Technology Officer & Co-founder at Zengo, added: “We’d like to thank the Fireblocks team for their responsible disclosure: This is exactly what proactive security collaboration looks like. The issue was promptly addressed and no user funds were affected. This highlights the power of our open-source MPC cryptographic libraries and we look forward to continuing to contribute to strengthening the cryptographic security of the entire ecosystem.”