Fireblocks Reveals Crypto Wallet Flaws that Might Drain Your Assets

The Fireblocks Cryptography Research Team has unveiled a series of zero-day vulnerabilities impacting widely-used cryptographic multi-party computation (MPC) protocols. These vulnerabilities encompass GG-18, GG-20, and implementations of Lindell 17, three prominent protocols in the crypto world. 

If left unaddressed, these flaws could lead to rapid and unnoticed fund theft from the wallets of countless retail and institutional customers. Dubbed BitForge, this string of vulnerabilities has particularly affected major wallet providers like Coinbase WaaS, Zengo, and Binance.

According to a press release from the company, the essence of these vulnerabilities lies in the failure of some implementations to adequately secure cryptographic processes. Attackers and even malicious insiders could exploit these flaws to drain funds from crypto wallets in mere seconds, all while the user remains unaware of the theft. The consequences could be dire, with millions of dollars potentially at stake.

MPC Protocols at Risk: GG18 and GG20 Paillier Key Vulnerability

As noted, two significant vulnerabilities take center stage: GG18 and GG20 Paillier Key Vulnerabilities and Lindell17 Abort Vulnerabilities.

This vulnerability centers on the extraction of private keys from wallets utilizing the GG18 and GG20 protocols. It entails a meticulous process wherein attackers manipulate malicious messages to reveal secret shards of parties involved in the MPC protocol. This painstaking process, done repeatedly, eventually leads to full key extraction.

Fireblocks claims to embark on a standard responsible disclosure process, providing affected wallet providers like Coinbase WaaS and Zengo with the time to rectify these vulnerabilities. Both Coinbase WaaS and Zengo reportedly took swift action to fix the identified issues and secure their platforms. However, the academic papers housing these vulnerabilities have also been revised to ensure accuracy.

Growing Need for Security in the Crypto Market

As decentralized finance and Web3 technologies continue their surge, the necessity for impregnable wallet and key management solutions becomes evident. Pavel Berengoltz, Co-founder and Chief Technology Officer at Fireblocks, stated, “While the widespread adoption of MPC in the digital asset industry is promising, our findings underscore the fact that not all MPC developers are on the same level.” 

He emphasized the importance of close collaboration between companies leveraging Web3 technology and security experts who can identify and counter vulnerabilities.

Furthermore, Coinbase’s chief information security officer, Jeff Lunglhofer, expressed gratitude for Fireblocks’ proactive identification of the issue. “Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology,” he noted. 

Similarly, Tal Be’ery, chief technology officer and co-founder at Zengo commended Fireblocks for their responsible disclosure and swift resolution, showcasing the power of open-source cryptographic libraries.

Apart from Coinbase WaaS, Zengo, and Binance, several other wallet providers have been exposed to the BitForge vulnerability. To assist projects in identifying potential vulnerabilities, Fireblocks has introduced the BitForge status checker on their website.

Meanwhile, Fireblocks’ own implementations, the MPC-CMP and MPC-CMPGG protocols, remain unaffected by the BitForge vulnerabilities. These protocols employ zero-knowledge proofs to ensure the security of secret key material throughout key generation, signing, and storage processes.

In essence, the Fireblocks Cryptography Research Team’s discoveries highlight the ongoing need for robust security measures in the crypto world. As the industry continues to evolve, maintaining vigilant watchfulness over vulnerabilities becomes paramount to protecting digital assets from the clutches of cybercriminals.

Latest posts by Joseph Alalade (see all)

Source: https://www.thecoinrepublic.com/2023/08/11/fireblocks-reveals-crypto-wallet-flaws-that-might-drain-your-assets/