As the cryptocurrency industry continues to grow and evolve, so do the potential risks and vulnerabilities. In order to stay ahead of the curve, many crypto firms are taking proactive steps to avoid exploits on their platforms. From implementing robust security measures to conducting regular audits, these firms are committed to ensuring the safety and security of their users. Recently, BitGo, a popular cryptocurrency wallet, has recently fixed a crucial vulnerability that could have potentially exposed the private keys of both retail and institutional users.
Fireblocks Becomes a Messiah for Bitgo
In December 2022, the cryptography research team at Fireblocks discovered a significant vulnerability in BitGo’s Threshold Signature Scheme (TSS) wallets. This flaw had the potential to expose the private keys of exchanges, banks, businesses, and platform users, and Fireblocks named it the BitGo Zero Proof Vulnerability.
The vulnerability was found to be particularly alarming as attackers could extract a private key in under a minute using just a small amount of JavaScript code. As a result, BitGo took swift action and suspended the vulnerable service on December 10, 2022. A patch was released in February 2023, and BitGo required client-side updates to the latest version by March 17 to address the issue.
The Fireblocks team revealed how it discovered the exploit by using a free BitGo account on the mainnet. By identifying a missing component of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol, the team was able to expose the private key through a straightforward attack.
To mitigate the possibility of a single point of attack, industry-standard enterprise-grade cryptocurrency asset platforms utilize either multi-party-computation (MPC/TSS) or multi-signature technology. This involves distributing a private key among multiple parties to ensure security controls in case one party is compromised. This approach minimizes the risks associated with holding cryptocurrency assets and helps to avoid potential exploits.
Crypto Market Could Have Witnessed Another Exploit
Fireblocks demonstrated that both internal and external attackers could obtain full access to a private key through two methods.
First, a compromised client-side user could initiate a transaction to obtain a portion of the private key held in BitGo’s system. BitGo would then perform the signing computation and share information that leaks the BitGo key shard, potentially exposing the entire private key. The team said:
“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”
The second scenario explores the possibility of an attack in case BitGo is compromised. In this scenario, the attacker would lie in wait for a customer to initiate a transaction and respond with a malicious value. This value would be used to sign the transaction using the customer’s key shard. By exploiting the response, the attacker would expose the user’s key shard and combine it with BitGo’s key shard to gain control of the wallet.
Fireblocks advises users to create new wallets and transfer funds from ECDSA TSS BitGo wallets before the patch, even though no attacks have been executed through this method.
Was this writing helpful?
No Yes
Shayan Chowdhury
Shayan is a digital nomad and a professional journalist. He delivers high-quality engaging articles to Coinpedia through his in-depth research and analysis.
Read More
A potential exploit has been dodged as crypto wallet Bitgo is saved by Fireblocks. Bitgo had become aware of a critical vulnerability in some third-party code used to power its Multi-Signature wallets, allowing users to store and manage their digital assets.
It has been announced that Fireblocks, a developer of secure infrastructure solutions for storing and transferring digital assets, has come to the crypto wallet’s aid with a timely deployment of its tools and services.
Fireblocks was quick to identify the vulnerability, which could have been used to give malicious actors access to user funds. It quickly patched the security hole and has now moved to investigate the full extent of the potential attack.
By using an array of tools, including its proprietary Hardware Security Module (HSM) and Software Guard Extensions (SGX), Fireblocks has managed to take preventive measures to protect Bitgo’s Multi-Signature wallet users. The company is now helping Bitgo to move its entire infrastructure over to the secure platform.
These actions are especially important given the increasingly sophisticating and persistent cyber security threats. While digital assets are becoming more mainstream, they are also increasingly less secure. This recent exploit serves as a reminder of the need for companies to have the right security measures in place to protect against cyberattacks.
By proactively deploying its solutions, Fireblocks delivered a invaluable service to Bitgo and the cryptocurrency industry at large. Fireblocks’ speedy response helped to protect both enterprises and individuals by helping to patch the vulnerability before it could be exploited, resulting in an invaluable security for all involved.
