The crypto infrastructure company, Fireblocks, has brought to light a series of vulnerabilities coined as BitForge. These vulnerabilities were found to significantly impact commonly used crypto wallets that run on multi-party computation (MPC) technology. These flaws were unknown to the software developers before the disclosure by Fireblocks, thus classifying them as zero-days.
Industry heavyweights such as Coinbase, ZenGo, and Binance were among those affected by BitForge. These companies have already collaborated with Fireblocks to mitigate any potential exploits that could have arisen from these vulnerabilities.
Although major wallets have patched these specific vulnerabilities, this episode raises multiple serious questions regarding the security and reliability of these ‘ultra-safe’ MPC wallets. Despite these patches, the fact remains that all types of crypto wallet bear inherent risks, including those using cutting-edge security approaches like MPC.
Fireblocks illustrated that, without appropriate mitigation, these exposures could allow potential attackers and malignant insiders to withdraw funds from the wallets of institutional and retail customers. This could be achieved within seconds without any indication to the user or vendor.
Cryptographically, MPC technology exists to eliminate a singular point of failure, preventing a private key from being stored on a single server or device. Wallets that utilize MPC technology encrypt the user’s private key and distribute it amongst several parties. Ideally, none of these entities should be able to gain wallet access without assistance from others.
However, Fireblocks has revealed that the BitForge vulnerabilities could allow a hacker to extract the complete private key by compromising just one device. This undermines the security premise of multi-party participation that lies at the heart of MPC technology.
For any malicious endeavour necessitating utilizing these vulnerabilities, an attacker would have to infiltrate an individual’s device or breach the internal systems of another party holding part of the user’s encrypted key. Still, the subsequent steps vary depending upon different wallets.
Despite the potential threats, Fireblocks CEO, Michael Shaulov, is of the opinion that the complexity of attacks facilitated by these vulnerabilities makes their discovery exponentially more difficult. He believes that the possibility of any such discovery by a hostile entity ahead of their public exposure to be implausible.
Looking ahead, MPC wallet users can reach out to Fireblocks to ascertain whether they may be using a vulnerable wallet, providing necessary steps to ensure adequate safeguards in the context of crypto security.
Source: Coindesk