CryptocurrencyCyber SafetyPress Release

Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers

Fireblocks Cryptography Research Team announced the findings of multiple zero-day vulnerabilities in some of the most used cryptographic multi-party computation (MPC) protocols, including GG-18, GG-20, and implementations of Lindell 17. If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor. The series of vulnerabilities, dubbed BitForge, had impacted popular wallet providers like Coinbase WaaS, Zengo, and Binance. Following the industry-standard 90-day responsible disclosure process, Coinbase WaaS and Zengo have since fixed and resolved the identified issues. In addition, the academic papers which contained flaws have been revised.

The Fireblocks Cryptography Research Team findings were presented during the Black Hat USA conference on Wednesday, August 9, and will be shared at Defcon on Thursday, August 10.

“As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident,” said Pavel Berengoltz, Co-founder & Chief Technology Officer at Fireblocks. “While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal. Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023.”

Of the wallet providers Fireblocks’ research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected.

“We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology,” said Jeff Lunglhofer, Chief Information Security Officer at Coinbase.

“We’d like to thank the Fireblocks team for their responsible disclosure: This is exactly what proactive security collaboration looks like,” said Tal Be’ery, Chief Technology Officer & Co-founder at Zengo. “The issue was promptly addressed and no user funds were affected. This highlights the power of our open-source MPC cryptographic libraries and we look forward to continuing to contribute to strengthening the cryptographic security of the entire ecosystem.”

Aside from Coinbase WaaS, Zengo, and Binance, dozens of other wallet providers are also known to be impacted by the BitForge vulnerability. Therefore, Fireblocks has published the BitForge Status Checker so that projects can find out if they might be exposed to an impacted MPC implementation:

The MPC-CMP and MPC-CMPGG protocols implemented by Fireblocks are not affected by the BitForge vulnerabilities as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes. In addition, Fireblocks adopts a multi-layer security approach by combining hardware security and MPC to reduce the attack surface and the feasibility of real-world exploits.

For the full technical analysis of the BitForge vulnerabilities, please visit and


Asia Online is South East Asia's Largest Independent Tech News Publisher. Our Tech News Network covers news from around the globe with specialist focused new portals. Not all of the team is Web3 Savvy - But the ones writing for Decentralyze have a passion for Web3 stories !

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please Turnoff your adblocker to access to the site
© Asia Online Publishing Group 2023Asia Online Publishing Group Sdn Bhd, FR 03M-04, Tamarind Suites, Persiaran Multimedia, Cyber 10, 63000 Cyberjaya, Selangor, Malaysia