Fireblocks exposes critical vulnerabilities in popular MPC wallets

Fireblocks exposes critical vulnerabilities in popular MPC wallets

Blockchain Vulnerabilities and the Importance of Multi-Party Computation (MPC) Technology

Fireblocks, an enterprise-focused crypto infrastructure firm, recently revealed a set of vulnerabilities collectively known as “BitForge.” These vulnerabilities affect popular crypto wallets that employ multi-party computation (MPC) technology. BitForge, classified as a “zero-day” vulnerability, had not been discovered by the affected wallet software developers prior to Fireblocks’ disclosure.

Impacted companies, including Coinbase, ZenGo, and Binance, have already collaborated with Fireblocks to address their exposure to potential exploits. Fireblocks has also proactively identified other teams that may be affected and initiated contact with them according to the standard industry practice of responsible disclosure within 90 days.

While major wallet providers may have patched these vulnerabilities, this incident raises concerns about the level of security offered by supposedly ultra-safe MPC wallets. Fireblocks highlighted the potential severity of the vulnerabilities, stating that if left unremediated, attackers and malicious insiders could drain funds from millions of retail and institutional customers’ wallets without their knowledge or that of the vendor.

Although these exploits could have been practically implemented, the complex nature of the vulnerabilities made them challenging to discover before Fireblocks’ disclosure. The CEO of Fireblocks, Michael Shaulov, expressed his belief that the likelihood of someone discovering and disclosing the vulnerabilities long before his team did is very low.

To address concerns, MPC wallet users can reach out to Fireblocks or fill out a form available on their website to determine if they are using a vulnerable wallet.

Multi-Party Computation

In the context of crypto wallets, MPC technology was primarily designed to eliminate single points of failure. It ensures that a private key is not stored on a single server or device. With MPC, a user’s private key is encrypted and split across multiple parties, such as the wallet user, wallet provider, and a trusted third party. No single entity can unlock the wallet without assistance from the others.

The BitForge vulnerabilities identified by Fireblocks would have allowed an attacker to extract the full private key if they compromised only one device, undermining the multi-party aspect of MPC.

How it Works

Fireblocks released a set of technical reports outlining the BitForge vulnerabilities. Generally, for an attacker to exploit these vulnerabilities, they would need to compromise a wallet user’s device or gain access to the internal systems of the wallet service or a third-party custodian where the user’s encrypted private key is stored.

The specific steps required would depend on the wallet provider. The BitForge vulnerabilities were present in popular research papers that describe how to build MPC systems, and different wallet providers may have implemented this research differently.

Coinbase stated that its user-facing wallet service, Coinbase Wallet, was not affected by the vulnerabilities. However, Coinbase Wallet-as-a-Service (WaaS), which powers third-party MPC wallets, was initially vulnerable before Coinbase implemented a fix. Coinbase emphasized that exploiting these vulnerabilities would be nearly impossible, requiring a malicious server within their infrastructure to trick users into initiating multiple fully authenticated signing requests multiple times.

Given the tedious and manual nature of this process, Coinbase believes it is highly unlikely that their customers would willingly engage in such actions before seeking support.

In conclusion, the BitForge vulnerabilities discovered by Fireblocks highlight the importance of robust security measures in the blockchain industry. While MPC technology offers enhanced security, these occurrences emphasize the ongoing need for vigilant monitoring and swift action to address vulnerabilities. It is crucial for wallet users and providers to proactively identify and remediate potential risks to protect the funds and information of millions of users.