Researchers at Fireblocks Inc., a digital asset infrastructure firm, revealed the discovery of multiple zero-day or yet-unpatched vulnerabilities affecting cryptocurrency wallets that could allow attackers or malicious parties to drain funds.

The researchers dubbed the series vulnerabilities “BitForge” in an announcement Wednesday afternoon and said that they affected a number of wallet providers, including those from Coinbase Inc., Zengo Ltd. and Binance Holdings Ltd. After a responsible 90-day disclosure period, all three major wallet producers have upgraded their wallets with security fixes and are no longer affected.

The researchers explained that the BitForge vulnerability affects wallets that implement particular multiparty computation protocols, including GG-18, GG-20 and Lindell 17. This is an important security measure in digital asset transactions that enables multiple parties to agree to execute a transaction by dividing a single private key among them. This makes a crypto wallet more difficult to hack and also means that no one person can access the funds without the others.

The GG-18 and GG-20 flaw allows an attacker to exfiltrate the full private key because of a missing zero-knowledge proof, which will permit the attacker to take control of the wallet funds and drain it. The Lindell 17 vulnerability comes from wallet providers not following the academic implementation, which created a backdoor for attackers to discover parts of the private key when signing fails, allowing the attacker to piece together the entire key after a large number of failed signings. It takes about 200 failed signature attempts.

“As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident,” said Pavel Berengoltz, co-founder and chief technology officer at Fireblocks. “While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal.”

The Fireblocks security team said that it conducted the research and disclosed the vulnerability status to over 15 different digital asset wallet providers and projects over the course of its research. It added that MPC wallets provided by the company itself are unaffected and customer funds remain secure from attack.

Changpeng Zhao, chief executive of Binance, the largest crypto exchange in the world by volume, said that the problem affected the company’s wallet, but it was fixed after Fireblocks discovered it. “This issue was present in the TSS Library Binance open-sourced, which has been fixed,” Zhao said in an X post. “No Binance user funds affected. Even MPC custody solutions have risks.”

Coinbase Chief Information Security Officer Jeff Lunglhofer thanked Fireblocks for their responsible disclosure of the issue. “While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation,” said Lunglhofer. “Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology.”

Given that the security team is aware of multiple other wallets are affected by BitForge, the security team has published a BitForge Status Checker website for projects and businesses using closed implementations.

Image: Pixabay