August 11, 2023
SINGAPORE – Millions of retail and institutional cryptocurrency investors face the risk of funds being drained from their digital asset wallets without their knowledge because of new security flaws, a study has found.
Research by digital asset custody firm Fireblocks found that the series of vulnerabilities, dubbed BitForge, impacted popular wallet providers like Coinbase WaaS, Zengo and Binance, among dozens of other providers.
BitForge refers to security flaws in software or products that are unknown to the vendor, and which have not been fixed or patched. The flaws were discovered by Fireblocks researchers and confirmed in May.
If they are unresolved, the firm said, attackers will be able to drain funds from the wallets of millions of retail and institutional customers in seconds, without the knowledge of the user or vendor.
“As with any vulnerability discovery, when the service provider’s code is close-sourced, we can only take their word on whether it has been fixed,” said the firm. “The researchers at Coinbase and Zengo are well known within the space and worked very closely with Fireblocks’ research team expeditiously and with transparency to ensure that their vulnerabilities were patched.”
The firm added that the vulnerabilities have not been exploited yet, and it would be impossible to know if an attacker has succeeded in stealing a private key until the funds are moved to a new wallet.
The flaws were found in some of the cryptographic multi-party computation (MPC) protocols, including GG-18, GG-20 and implementations of Lindell 17. These MPC protocols are the most used by wallet providers.
Typically, when a single private key is stored in one place, a wallet’s owner would need to trust that the device or party that holds that private key is completely secure. With MPC, the private key is decentralised. It is broken up into shares, encrypted, and divided among multiple parties, so there is no single point of failure.
Mr Pavel Berengoltz, co-founder and chief technology officer at Fireblocks, said that MPC is now ubiquitous within the digital asset industry, but not all MPC developers and teams are created equal.
“Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly US$500 million (S$674 million) in the first half of 2023,” he said.
The findings were presented at the Black Hat USA conference in Las Vegas on Thursday.
To allow users to find out whether they are currently impacted by BitForge, Fireblocks has published the BitForge status checker at www.fireblocks.com/BitForge, so they can check if they might be exposed to risks.