BitForge: Fireblocks Uncovered Vulnerabilities in Over 15 Major MPC Wallets

• "The Fireblocks research team analyzed dozens of publicly available MPC protocols and wallet providers."
• "In doing so, the team uncovered zero-day vulnerabilities in implementations used by more than 15 digital asset wallet providers, blockchains, and open-source projects, that would allow an attacker with privileged access to drain funds from wallets."

"Of the wallet providers Fireblocks' research team worked with to patch the vulnerabilities, Coinbase WaaS and Zengo were best-in-class in managing and resolving the issues in a timely manner, ensuring that their users were well-protected."

• "With the vast amount of closed implementations, we recommend that businesses check with their providers directly or visit the BitForge Status Checker to learn more."
• "The BitForge vulnerabilities, if left unremedied, would enable attackers to exploit a newly discovered flaw in the GG18 and GG20 protocols by exfiltrating the full private key due to a missing zero-knowledge proof."
• "The Lindell17 protocol vulnerability stems from wallet providers’ deviating from the academic paper, creating a backdoor for attackers to expose part of the private key when signing fails."
• "The exploits were validated on major open-source implementations, and a working POC was built on the open libraries."

"Aside from Coinbase WaaS, Zengo, and Binance, dozens of other wallet providers are also known to be impacted by the BitForge vulnerability. Therefore, Fireblocks has published the BitForge Status Checker so that projects can find out if they might be exposed to an impacted MPC implementation: www.fireblocks.com/BitForge."

Full Blog Post / Archive
GG18/20 Technical Post / Archive
Lindell17 Post / Archive