Fireblocks reveals critical vulnerability in BitGo Ethereum wallets

The cryptography research team at Fireblocks, a blockchain infrastructure provider, has revealed details of a vulnerability in BitGo’s Ethereum wallets that use the company’s Threshold Signature Scheme (TSS).

Multiple parties may be affected

BitGo users, including several crypto exchanges, banks and well-known Web3 brands with hundreds of thousands of users, may have been affected by having their private keys exposed. Fireblocks has declined to disclose the names of the specific affected brands, citing a confidentiality agreement (NDA).

Fireblocks was reportedly able to identify the vulnerability as early as late December of last year, just over a month after the service went public.

After the technical details of the vulnerability were confirmed, BitGo reportedly suspended the affected service and subsequently released an update. The Palo Alto-based company also required its customers to update to the latest version before March 17.

Only single signature needed for exploit

Today, the announcement comes at the end of a “coordinated disclosure process” followed by the Fireblocks research team in conjunction with BitGo’s security team.

According to Fireblocks, the vulnerability could have allowed an attacker to extract a full private key using a single signature and a few seconds of computation time, bypassing all of BitGo’s security features.

BitGo is a digital asset manager and security company, which has several clients such as Bitstamp, Pantera Capital, and eToro. TSS wallets were introduced in June 2022, with support for Ethereum wallets added in October.

Private keys could be stolen

The vulnerability reportedly resulted from a missing implementation of the mandatory Zero-Knowledge Proofs in the BitGo TSS wallet protocol, which uses the Elliptic Curve Digital Signature Algorithm (ECDSA).

The Zero Proof vulnerability was initially discovered in BitGoJS, the SDK BitGo clients use to interact with the BitGo API. BitGoJS is used to perform client-side signatures.

Exploiting the vulnerability in the SDK could allow an attacker to steal the private key share used by the client, regardless of their key storage methods and security measures.

While BitGo has taken steps to address the vulnerability, the Fireblocks team is still concerned that past exploits could have left affected brands’ NFT wallets vulnerable. A Fireblocks representative said the following:

As attacks on the crypto industry accelerate, licensed custodians are tasked with securing billions of dollars in user funds. The vulnerability results from the wallet provider not following a well-regarded cryptographic standard.

Fireblocks reports that while wallets generated after the patch should be secure, the keys of any BitGo Ethereum TSS wallet generated prior to the update may have been exposed. Therefore, the company considers all funds in those wallets to be locked as risk and advise to immediately move them to a secure wallet.

Recent Articles

Related News

Leave A Reply

Please enter your comment!
Please enter your name here