Kofi Mensah Fireblocks, a company specializing in digital asset security, has made public the vulnerabilities in several cryptocurrency wallets, collectively identified as “Bitforge.” These flaws could enable criminals to steal millions of dollars in cryptocurrency without any direct interaction with the wallet owners or providers. Although some providers have already taken action to fix the issues, others remain at risk.
Table Of Contents
Fireblocks Exposes Bitforge Flaws
Fireblocks, a company dealing in security and consultancy for cryptocurrency assets, has announced that Bitforge is subjected to a series of wallet vulnerabilities, potentially impacting millions of clients. These issues were detected by the Fireblocks team in May but were revealed only recently in a Blackhat 2023 conference talk titled “Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Leading Crypto Wallets.”
The identified vulnerabilities target Multi-Party Computation (MPC) algorithms used by various vendors. The initial vulnerability involves GG18 and GG20, two protocols described by Fireblocks as “trailblazing for the MPC wallet sector” and “extensively utilized by businesses in the field.”
This particular exploit lets malefactors extract the private key, thereby gaining control over the cryptocurrencies within the compromised wallet. Fireblocks even demonstrated a working proof-of-concept for this attack.
Likewise, the second vulnerability pertains to Lindell17, a signing protocol. Fireblocks highlights that this exploit “emerges from Lindell17 implementations that deviate from the academic paper’s guidelines, neglecting or improperly handling aborts in the event of signature failures.”
This specific flaw was first identified in the Zengo wallet and later found to be effective against Coinbase Wallet as a Service (WAAS), including open-source protocol implementations. Zengo and Coinbase have promptly patched their wallets to counter this threat.
Jeff Lunglhofer, Coinbase’s Chief Information Security Officer, expressed gratitude to Fireblocks for its prompt disclosure, informing Bleeping Computer that “even though Coinbase’s customers and funds were never in danger, upholding a completely trustless cryptographic model is vital to any MPC implementation.”
Tool to Check Vulnerability
In light of the numerous wallets that may be impacted by these vulnerabilities, Fireblocks has created a tool that enables wallet providers and users to assess whether their wallets are susceptible to these flaws.
Currently, only Coinbase and Zengo are marked as secure against the Lindell17 vulnerability. Fireblocks clarified that not all wallet providers are listed, as “it aligns with the industry’s ethos to strengthen collectively behind the scenes rather than publicly denounce companies and tarnish their reputation.”
What are your thoughts on the Bitforge wallet exploits? Share your opinions in the comments section below.
Frequently Asked Questions (FAQs) about fokus keyword: Bitforge vulnerabilities
What are the Bitforge vulnerabilities disclosed by Fireblocks?
The Bitforge vulnerabilities are flaws affecting several cryptocurrency wallets, enabling criminals to steal cryptocurrency without interacting with wallet owners or providers. These vulnerabilities target Multi-Party Computation (MPC) algorithms and were publicly disclosed by Fireblocks, a digital assets security company.
Which protocols are affected by the first Bitforge vulnerability?
The first Bitforge vulnerability is related to GG18 and GG20, two protocols described as pioneering for the MPC wallet industry and widely used by companies in the space.
What does the second Bitforge vulnerability concern?
The second vulnerability deals with Lindell17, a signing protocol, and originates from Lindell17 implementations deviating from the specification of the academic paper, mishandling or ignoring aborts in case of failed signatures.
Were any specific wallets confirmed to be affected by these vulnerabilities?
Yes, the second vulnerability was discovered in the Zengo wallet and later confirmed to work against Coinbase Wallet as a Service (WAAS). Both Zengo and Coinbase have patched their wallets to deal with this exploit.
Has Fireblocks provided any tool for users and providers to check for vulnerabilities?
Yes, Fireblocks has created a utility that allows wallet providers and users to check if their wallets can be exploited using these vulnerabilities. At the time of the disclosure, only Coinbase and Zengo were listed as secure against the Lindell17 exploit.
Why were not all wallet providers shown as secure or vulnerable by Fireblocks?
Fireblocks explained that not all wallet providers are shown because it’s part of the industry’s ethos to work together privately rather than publicly calling out companies and potentially harming their credibility.
6 comments
Wow, this is scary stuff! How can we even trust our wallets anymore? Good on Fireblocks for finding this and letting people know about it.
Cryptos always seem risky. Maybe that’s the price we pay for the technology. Gotta keep eyes open and stay vigilant. Great post, btw.
I’m using one of those wallets. Now im wondering if I should switch. Anyone has any suggestion, what’s the best wallet out there? Is it even safe to stay with crypto anymore?
Those vulnerabilities are too technical for me, but I’m glad some companies have already fixed the problem. I hope others follow suit quickly.
Great article. But really, how common are these attacks? Should we b worried or is this just another case of media hype?
just updated my wallet, thanks for the info. I think more companies should be proactive like fireblocks. teamwork makes the dream work!