The Fireblocks Cryptography Research Team has found vulnerabilities in widely-used cryptographic systems like GG-18, GG-20, and versions of Lindell 17.
These vulnerabilities could potentially let attackers drain funds from the wallets of both regular users and large institutions, all without anyone noticing.
The set of vulnerabilities, known as "BitForge," has already affected well-known wallet providers such as Coinbase WaaS, Zengo, and Binance.
In response to these findings, Coinbase WaaS and Zengo have taken quick action to fix the issues.
The academic papers containing the flaws have also been corrected.
These findings were presented at the Black Hat USA conference and will be discussed at Defcon.
Beyond Coinbase WaaS, Zengo, and Binance, other wallet providers are also affected by the BitForge vulnerability.
Fireblocks has created the BitForge Status Checker to help projects determine if they might be exposed to these vulnerabilities.
What are MPC Protocols?
MPC stands for Multi-Party Computation.
Think of it as a way for different computers (parties) to work together securely, even if some of them are dishonest or compromised.
It's like a group of friends solving a puzzle where each friend has a piece of the solution, and they need to work together to complete it.
In the context of this article, these protocols help in managing digital wallets and transactions.
What the researchers discovered is that some widely-used methods for keeping our digital money safe (MPC protocols) had some weak points (BitForge vulnerabilities)
Notably, Fireblocks' MPC-CMP and MPC-CMPGG protocols are not vulnerable to the BitForge issues.
These protocols incorporate essential Zero Knowledge Proofs, ensuring the validation of all secret key material throughout the key generation, signing, and storage processes.
Additionally, Fireblocks adopts a multi-layer security approach by combining hardware security and MPC, effectively reducing the risk of real-world exploits.
Coinlive previously reported on how compiler vulnerabilities led to reentrancy attacks for Aave's Earning Farm and Curve Finance
Alex
Jasper
Hui Xin