Fireblocks saves Crypto Wallet Bitgo from potential exploitation as it fixes critical vulnerability

As the cryptocurrency industry continues to grow and develop, so do the potential risks and vulnerabilities. To stay ahead of the curve, many crypto firms are taking proactive steps to avoid exploits on their platforms. From implementing robust security measures to conducting regular audits, these firms are committed to ensuring the safety and security of their users. Recently, BitGo, a popular cryptocurrency wallet, recently fixed a critical vulnerability that could have potentially exposed the private keys of both retail and institutional users.

Fireblocks will be a Messiah for Bitgo

In December 2022, the cryptography research team at Fireblocks discovered a significant vulnerability in BitGo’s Threshold Signature Scheme (TSS) wallets. This flaw had the potential to expose the private keys of exchanges, banks, businesses and platform users, and Fireblocks called it the BitGo Zero Proof Vulnerability.

The vulnerability was found to be particularly alarming as attackers could extract a private key in under a minute using just a small amount of JavaScript code. As a result, BitGo took swift action and suspended the vulnerable service on December 10, 2022. An update was released in February 2023, and BitGo required client-side updates to the latest version by March 17 to address the issue.

The Fireblocks team revealed how it discovered the exploit using a free BitGo account on the mainnet. By identifying a missing component of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol, the team was able to expose the private key through a simple attack.

To reduce the possibility of a single point of attack, industry-standard enterprise-grade cryptocurrency asset platforms use either multi-party computation (MPC/TSS) or multi-signature technology. This involves distributing a private key between multiple parties to ensure security checks in case one party is compromised. This approach minimizes the risk associated with holding cryptocurrency assets and helps avoid potential exploits.

The crypto market could have witnessed another exploit

Fireblocks demonstrated that both internal and external attackers could gain full access to a private key through two methods.

First, a compromised client-side user can initiate a transaction to obtain a portion of the private key in BitGo’s system. BitGo will then perform the signing calculation and share information that leaks the BitGo key shard, potentially exposing the entire private key. The team said:

“The attacker can now reconstruct the entire private key, load it into a remote wallet and withdraw the money immediately or at a later time.”

The second scenario explores the possibility of an attack in the event BitGo is compromised. In this scenario, the attacker will lie in wait for a customer to initiate a transaction and respond with a malicious value. This value will be used to sign the transaction using the customer’s key slice. By exploiting the response, the attacker would reveal the user’s key shard and combine it with BitGo’s key shard to gain control of the wallet.

Fireblocks advises users to create new wallets and transfer funds from ECDSA TSS BitGo wallets before the update, although no attacks have been carried out through this method.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *