Crypto wallets patch zero-day vulnerabilities to safeguard user funds

Fireblocks finds 16 affected wallet providers and open-source libraries but stops short of publicly naming the companies to provide time to implement a fix

by Sebastian Sinclair /
article-image

eamesBot/Shutterstock, modified by Blockworks

share

Leading multi-party computation wallet providers, including Coinbase, Binance and ZenGo, have patched critical vulnerabilities discovered in widely used cryptographic protocols, potentially affecting millions of users.

Dubbed BitForge, the vulnerabilities identified and unveiled by the Fireblocks Cryptography Research Team on Wednesday could have allowed attackers to steal private keys from users’ wallets.

The disclosed vulnerabilities “effectively downgrade the protection offered by the MPC system to that of a conventional single key system,” Idan Ofrat, co-founder and chief product officer at Fireblocks told Blockworks.

GG-18 and GG-20 protocols were found to be vulnerable at the pseudocode level — the inherent design or logic of the protocols — enabling attackers to exploit the flaw by exfiltrating the full private key, a Fireblocks spokesperson said.

In simpler terms, it’s like having a flaw in the blueprint of a building. Even if you build the structure perfectly according to the blueprint, the flaw is inherent in the design itself.

“BitForge only impacts MPC wallet providers that utilize the GG-18, GG-20, and Lindell17 protocols,” the spokesperson said. “Even if another provider is using a different MPC [multi-party computation] protocol, it is important to ensure they undergo regular code audits and have the cryptography resources to immediately patch security vulnerabilities.”

Some implementations required just 16 signatures for key extraction, while others could have necessitated as many as 1 billion. The Lindell17 vulnerability, on the other hand, emerged from wallet providers deviating from the protocol’s academic paper, which has since been updated. 

The vulnerability created a backdoor for attackers to expose part of the private key when signing fails, Fireblocks said. In 2020, the GG protocols were updated to patch an earlier vulnerability, but these modifications inadvertently created additional flaws. 

Fireblocks is advising all providers implementing these protocols to include required zero-knowledge proofs to enhance security. Users can check their exposure status through the BitForge Status Tracker.

While major players like Coinbase have resolved the vulnerabilities, the risk to smaller providers underscores the need to consult security experts to stay a step ahead, Fireblocks co-founder and CTO Pavel Berengoltz said.

“In cybersecurity, It is a common protocol for security researchers to provide information about a vulnerability they discovered to affected vendors privately and give the vendors 90 days to fix the vulnerability prior to disclosing it to the general public,” Ofrat said. “This allows the vendor ample time to mitigate the vulnerability while also making sure that security issues are eventually published for the public good to advance the entire ecosystem forward.”

Fireblocks identified 16 affected providers and open-source libraries but refrained from publicly naming the companies, emphasizing industry collaboration and providing a chance for fixes. 

“As GG-18, GG-20, and Lindell17 are some of the most popular MPC protocols used by wallet providers, we wanted to provide users with the ability to find out whether they are currently impacted by BitForge,” the spokesperson said.

Ofrat recommends that wallet users check with their providers or consult Fireblocks’ BitForge Status Tracker to see if their wallet may be affected.

James Cirrone contributed reporting.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Permissionless III Hackathon

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

learn more

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

learn more

recent research

Research Report Templates (1).png

Research

Why Solana Mobile Should 100x Their Phone Production

Solana Mobile is a highly ambitious foray into the mobile consumer hardware market, seeking to open up a crypto-native distribution channel for mobile-first applications. The market for Solana Mobile devices has demonstrated a phenomenon whereby external market actors (e.g. Solana-native projects) continuously underwrite subsidies to Mobile consumers. The value of these subsidies, coming in the form of airdrops, trial programs, and exclusive NFT mints, have consistently covered the cost of the phone and generated positive returns for consumers. Given this trend in subsidies, the unit economics in the market for Mobile devices, and the initial growth rate and trajectory of sales, it should be expected that Solana mobile can clear 1M to 10M units over the coming years. As more devices circulate amongst users, Solana Mobile presents a promising venue for the emergence of killer-applications uniquely enabled by this mobile-first, crypto-native distribution channel.

by Luke Leasure

/

news

article-image

Analysis

Empire Newsletter: How US presidencies map to crypto markets

Plus, breaking down Donald Trump’s shifting crypto stance

by Katherine Ross&David Canellis /
article-image

DeFiMarkets

Mt. Gox customers to receive crypto assets after 10-year wait

Markets are holding relatively steady despite the supply shock

by Donovan Choy /
article-image

Markets

Markets brace for volatility as VIX rises to highest level since April 

Analysts are looking ahead to August, a historically volatile month made more interesting this year by the US presidential election

by Casey Wagner /
article-image

Analysis

On the Margin Newsletter: A notoriously rough month for markets is upcoming

Plus, a look into Lighting Labs’ newest feature

by Casey Wagner /
article-image

Opinion

Crypto investors must embrace new tax rules or risk falling behind

Crypto’s Wild West era is over — it’s time to embrace regulation to secure the future of digital assets

by Zac Townsend /
article-image

Analysis

Lightspeed Newsletter: Wine tokenization on Solana

Plus, Solana has now surpassed Ethereum in trailing 30-day decentralized exchange volume

by Jack Kubinec&Jeff Albus /