Multiple zero-day vulnerabilities have been discovered in some of the most used cryptographic multi-party computation (MPC) protocols, putting consumers’ cryptocurrency funds at risk of theft.
In findings presented during Black Hat USA on Wednesday, August 9, the Fireblocks Cryptography Research Team said that the vulnerabilities, if left unpatched, would enable attackers to drain funds from the wallets of millions of retail and institutional customers “in seconds.”
The details of the zero-days have now been made public following a 90-day responsible disclosure process.
Speaking to Infosecurity, Shahar Madar, Head of Security Products at Fireblocks, said that the vulnerabilities, dubbed BitForge, have not been exploited “as far as we know.” However, he observed that if an attacker was stealing a private key “it would be impossible to know until they move funds to a new wallet.”
Madar added that discovering BitForge would require a strong understanding in modern cryptography and blockchain along with vulnerability research, which is “a rare skill.”
Nevertheless, he explained that should an attacker discover the vulnerabilities, “it would be relatively simple to exploit it with the right access to one of the MPC co-signers (either customer or vendor) – as some of the attacks require just 16 signatures to exfiltrate the private key share.”
The zero days were found in numerous cryptographic MPC protocols, including GG-18, GG-20 and implementations of Lindell 17.
This impacts popular wallet providers such as Coinbase WaaS, Zengo and Binance, along with dozens of other providers.
Fireblocks has worked with wallet providers to remediate the vulnerabilities, praising Coinbase WaaS and Zengo for resolving the issues “in a timely manner.”
All wallet providers have been urged to check if they may have been exposed to an impacted MPC implementation.
Madar noted that Fireblocks had performed an extensive search for vendors who may be affected by BitForge and believes the discovery should provide a valuable lesson for crypto wallet providers going forward.
“Software security is something that you always have to keep in mind – you need to constantly challenge your assumptions, patch the errors that are found and monitor for attackers who are trying to exploit vulnerabilities in your system,” he commented.
Crypto wallets continue to be heavily targeted by threat actors to steal cryptocurrency. For example, in May 2023, security experts at Kaspersky found that a hardware wallet was exploited by cyber-criminals to steal almost $30,000 worth of funds.