Fireblocks Researchers Uncover BitGo Wallet Vulnerability
The vulnerability would have exposed BitGo wallet user's private key with a simple attack
Vulnerability found in BitGo TSS wallets where attackers can extract the full private key in less than 60 seconds
The Fireblocks cryptography team notified BitGo of the vulnerability on December 5, and after confirming the technical details, BitGo suspended its vulnerable service on December 10. In February, BitGo released a patch for the vulnerability, and required its clients to update to the latest version by March 17.
"As attacks on the crypto industry continue to accelerate, licensed custodians are entrusted with securing billions of dollars in user funds. The vulnerability is a result of the wallet provider failing to follow a well-reviewed cryptographic standard," said Idan Ofrat, Co-founder and CTO at Fireblocks. "The explosive growth of digital assets in the last few years, both in numbers of users and transaction volumes, has made it extremely lucrative for hackers to target this space. Fireblocs' mission is to help the industry increase its resilience and security, and our research team is proud to assist qualified custodians so that they may ensure the security of their code and offerings."
The vulnerability, which the Fireblocks team proved was exploitable via a free BitGo account on Mainnet, is a result of a missing implementation of mandatory zero-knowledge proofs in the BitGo ECDSA TSS wallet protocol, making it easy to expose the private key through a simple attack. All enterprise-grade digital asset custody platforms rely on either multi-party-computation (MPC/TSS) or multi-signature technology to eliminate a single point of compromise by distributing the private key between multiple users and parties, in order to ensure security controls even if one of the parties is compromised. The BitGo Zero Proof vulnerability allows any party, including internal and external attackers, to gain access to the full private key, completely bypassing all enterprise security and compliance controls. The attack could have been carried out in two possible scenarios:
While assets have not yet been withdrawn by attackers, it is feasible that private keys of wallets exposed to a similar class of vulnerabilities may have been compromised. As an industry best practice, Fireblocks recommends that users who created ECDSA TSS BitGo wallets prior to the fix date consider creating new wallets and transfer their funds to their new wallets.
For the full technical analysis of the BitGo Zero Proof Vulnerability, please visit https://www.fireblocks.com/blog/bitgo-wallet-zero-proof-vulnerability
View original content to download multimedia:https://www.prnewswire.com/news-releases/fireblocks-researchers-uncover-bitgo-wallet-vulnerability-301774766.html