Fireblocks Cryptography Research Team announced the findings of multiple zero-day vulnerabilities in some of the most used cryptographic multi-party computation (MPC) protocols, including GG-18, GG-20, and implementations of Lindell 17. If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor. The series of vulnerabilities, dubbed BitForge, had impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance. Following the industry-standard 90-day responsible disclosure process, Coinbase WaaS and Zengo have since fixed and resolved the identified issues. In addition, the academic papers which contained flaws have been revised.
The Fireblocks Cryptography Research Team findings were presented during the Black Hat USA conference on Wednesday, August 9, and will be shared at Defcon on Thursday, August 10.
“As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident,” said Pavel Berengoltz, Co-founder & Chief Technology Officer at Fireblocks. “While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal. Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023.”
Of the wallet providers Fireblocks’ research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected.
“We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology,” said Jeff Lunglhofer, Chief Information Security Officer at Coinbase.
“We’d like to thank the Fireblocks team for their responsible disclosure: This is exactly what proactive security collaboration looks like,” said Tal Be’ery, Chief Technology Officer & Co-founder at Zengo. “The issue was promptly addressed and no user funds were affected. This highlights the power of our open-source MPC cryptographic libraries and we look forward to continuing to contribute to strengthening the cryptographic security of the entire ecosystem.”
Aside from Coinbase WaaS, Zengo, and Binance, dozens of other wallet providers are also known to be impacted by the BitForge vulnerability. Therefore, Fireblocks has published the BitForge Status Checker so that projects can find out if they might be exposed to an impacted MPC implementation: www.fireblocks.com/BitForge.
The MPC-CMP and MPC-CMPGG protocols implemented by Fireblocks are not affected by the BitForge vulnerabilities as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes. In addition, Fireblocks adopts a multi-layer security approach by combining hardware security and MPC to reduce the attack surface and the feasibility of real-world exploits.
For the full technical analysis of the BitForge vulnerabilities, please visit https://www.fireblocks.com/blog/gg18-and-gg20-paillier-key-vulnerability-technical-report and https://www.fireblocks.com/blog/lindell17-abort-vulnerability-technical-report.