BitGo fixes Fireblocks’ discovered severe vulnerability

BitGo has corrected a significant issue that may have exposed the private keys of institutional and retail customers.

In December 2022, the cryptography research team Fireblocks uncovered the weakness and contacted the BitGo team.

The issue affected BitGo Threshold Signature Scheme (TSS) wallets and might have exposed the private keys of exchanges, banks, enterprises, and platform users.

The Fireblocks team dubbed the weakness the BitGo Zero-Proof Vulnerability, which would let prospective attackers extract a private key in less than a minute using little JavaScript code.

BitGo terminated the vulnerable service on December 10, 2023, and issued a fix in February 2023, mandating client-side upgrades to the most recent version by March 17, 2023.

The Fireblocks team described how it discovered the vulnerability using a free BitGo account on the mainnet. An omission in BitGo’s ECDSA TSS wallet protocol’s obligatory zero-knowledge proofs enabled the team to disclose the private key via a simple attack.

With either multiparty computation (MPC/TSS) or multisignature technology, enterprise-grade cryptocurrency asset systems eliminate the potential of a single point of attack.

This is accomplished by distributing a private key to many parties in order to maintain security controls in the event that one party is hacked.

Fireblocks was able to demonstrate that internal or external attackers might acquire access to a whole private key in two ways.

A hacked client-side user might launch a transaction to gain a piece of BitGo’s private key. BitGo would then complete the signature computation before disclosing information that might compromise the BitGo key shard.

“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”

The second possible outcome was an attack if BitGo was hacked. An attacker would wait for a transaction to be initiated by a client before responding with a fraudulent value.

This information is then used to sign the transaction using the customer’s key shard. The attacker may combine the user’s key shard with BitGo’s key shard to seize control of the wallet.

Fireblocks said that no attacks had been carried out using the disclosed vulnerability, but cautioned users to create new wallets and move cash from ECDSA into BitGo wallets before the solution is released.

In recent years, wallet hacks have become prevalent in the bitcoin market. In August 2022, almost $8 million was stolen from over 7,000 Slope wallets located in Solana.

The Algorand network wallet provider MyAlgo was also attacked by a wallet breach that resulted in the theft of nearly $9 million from many prominent wallets.