Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Fireblocks said the vulnerabilities affecting Coinbase, Binance and Zengo have since been fixed and has reached out to more than 12 others still at risk.
Over 15 widely-used crypto wallet providers and projects have gaping vulnerabilities that could potentially see millions of crypto wallets drained, according to digital asset infrastructure firm Fireblocks.
In an Aug. 9 press release, Fireblocks said the series of vulnerabilities, dubbed BitForge, are affecting wallets using multi-party computation (MPC) technology, which allows for multiple parties to control and manage cryptocurrency holdings.
1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023
The identified issues were disclosed as “zero day” vulnerabilities — meaning that the flaws had not previously been identified by the projects.
“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.”
The firm disclosed that the BitForge vulnerabilities affected many of the top wallet providers, including Coinbase, Zengo and Binance. Following an industry-standard “90 day disclosure period” from Fireblocks, the three firms have since resolved the identified issues.
In a statement, Coinbase’s chief information security officer, Jeff Lunglhofer, thanked Fireblocks for identifying and responsibly disclosing the issue, adding that Coinbase customers and funds were never at risk. Zengo Chief Technology Officer Tal Be'ery noted that the issue was promptly fixed and no user funds were affected.
3/ We want to extend our gratitude to the researchers at Fireblocks for identifying this issue, conducting an ethical disclosure, and helping to improve the security of the ecosystem.
— Coinbase Cloud ️ (@CoinbaseCloud) August 9, 2023
Fireblocks said it has worked to identify other firms that may be implicated in similar security concerns and have reached out to them.
This issue was present in the TSS Library Binance open-sourced, which has been fixed. Thanks to Fireblocks for uncovering it!
No @Binance user funds affected.
Even MPC custody solutions have risks. Stay #SAFU! https://t.co/UneRs7VOj7— CZ Binance (@cz_binance) August 10, 2023
Binance CEO Changpeng Zhao, too, thanked Fireblocks for uncovering the vulnerability as the crypto exchange was able to rectify the issues before any damage could occur.
MPC wallets encrypt a user’s private key and share it between several parties — typically comprised of the wallet owner, a wallet provider, and another third party. Theoretically, no one of these entities should be able to unlock the wallet without first communicating with the others.
Related: Tel Aviv Stock Exchange to offer crypto services via Fireblocks pact
However, according to Fireblocks’ technical reports on the BitForge vulnerabilities, the vulnerabilities would have allowed hackers to “extract the full private key if they were able to compromise only one device.”
“While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal,” said Fireblocks’ chief technology officer and co-founder, Pavel Berengoltz.
“Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities,” he added.
Deposit risk: What do crypto exchanges really do with your money?
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.