Table of Contents
Researchers at Fireblocks have uncovered several zero-day vulnerabilities in multi-party computation (MPC) protocols, which could impact wallet providers including Coinbase WaaS, Zengo, and Binance.
MPC protocols such as GG-18, GG-20, and implementations of Lindell 17 were specifically mentioned by Firebocks Cryptography Research Team in a press release.
"If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor," the team stated.
This series of vulnerabilities, named BitForge, have been addressed by the wallets affected.
"We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation. Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology," said Jeff Lunglhofer, Chief Information Security Officer at Coinbase.
The Fireblocks Cryptography Research Team presented their findings at the Black Hat USA conference and will share them at Defcon.
MPC adoption has been increasing in the digital asset industry but Fireblocks' research demonstrates that not all have expertise in security. "Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities," Fireblocks suggests.
The BitForge Status Checker has been released by Fireblocks to help projects determine their vulnerability.
Fireblocks' own protocols, MPC-CMP and MPC-CMPGG, are not affected by BitForge vulnerabilities because they utilize Zero Knowledge Proofs required for key validation. A multi-layer security approach is also implemented by Fireblocks, to combine hardware security and MPC to minimize the risk of real-world exploits.