Zero-Day Vulnerabilities Found in Cryptographic MPC Protocols Put Cryptocurrency Funds at Risk
A recent discovery by the Fireblocks Cryptography Research Team has unveiled multiple zero-day vulnerabilities in popular cryptographic multi-party computation (MPC) protocols. These vulnerabilities pose a significant threat to the security of consumers’ cryptocurrency funds, potentially allowing attackers to drain wallets of millions of retail and institutional customers within seconds.
Presented during Black Hat USA, the details of these zero-days have now been disclosed after a 90-day responsible disclosure process. Dubbed BitForge, the vulnerabilities have not been exploited to the team’s knowledge, but the potential consequences of an attack are severe.
According to Shahar Madar, Head of Security Products at Fireblocks, discovering and exploiting BitForge requires a deep understanding of modern cryptography, blockchain, and vulnerability research. However, if an attacker gains access to an MPC co-signer, exploiting the vulnerabilities could be relatively straightforward.
The zero-day vulnerabilities were found in various cryptographic MPC protocols, including GG-18, GG-20, and implementations of Lindell 17. This impacts popular wallet providers like Coinbase WaaS, Zengo, and Binance, among others.
Fireblocks has collaborated with wallet providers to address and remediate the vulnerabilities, commending Coinbase WaaS and Zengo for their prompt response. All wallet providers are advised to assess their exposure to affected MPC implementations and take necessary precautions.
Madar emphasized the importance of software security in the cryptocurrency space, highlighting the need for constant vigilance, patching of vulnerabilities, and monitoring for potential attacks. The discovery of BitForge serves as a valuable lesson for crypto wallet providers to enhance their security measures.
Despite efforts to secure cryptocurrency wallets, threat actors continue to target them for illicit gains. In a separate incident, security experts at Kaspersky uncovered a cyber-criminal exploiting a hardware wallet to steal nearly $30,000 worth of funds in May 2023.