Fireblocks Discloses ‘Zero Day’ Vulnerabilities Impacting Leading MPC Wallets
1It’s unlikely users were impacted by the vulnerabilities – collectively referred to as “BitForge” – but Fireblocks says they could’ve let hackers “drain funds from the wallets of millions of retail and institutional customers in seconds” if left unfixed.
Fireblocks, an enterprise-focused crypto infrastructure firm, has disclosed a set of vulnerabilities – collectively referred to as “BitForge” – impacting a variety of popular crypto wallets that use multi-party computation (MPC) technology.
The firm has classified BitForge as a “zero-day” – meaning the vulnerabilities hadn’t been discovered by developers of the affected software prior to disclosure from Fireblocks.
Coinbase, ZenGo, and Binance – three of the biggest companies impacted by BitForge – have already worked with Fireblocks to remediate their exposure to potential exploits, according to the firm. Fireblocks says it has worked to identify other teams that might be impacted and has reached out to them in accordance with the “industry-standard 90-day responsible disclosure process.”
Even though the particular vulnerabilities may have been patched in major wallets, the episode raises potentially alarming questions about just how safe these supposedly ultra-safe MPC wallets really are.
“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor,” Fireblocks said in a statement shared with CoinDesk.
While Fireblocks says that attacks exploiting the vulnerabilities would have been “practical,” the firm believes their complexity made them difficult to discover in advance of Wednesday’s disclosure. “The chances that someone – some malicious actor from, let's say, North Korea figured it out months before we figured it out and disclosed it to wallet providers – I would say that the likelihood of that is very, very, very low,” Fireblocks CEO Michael Shaulov told CoinDesk.
If MPC wallet users want to know whether they might be using a vulnerable wallet, Shaulov said they can reach out to Fireblocks or fill out a form that will be posted to its website.
Multi-party computation.
In the context of crypto wallets, “MPC technology was primarily designed to make sure that that you don't have a single point of failure – a private key is not sitting on a single server or on a single device,” explained Shaurov.
Wallets that use MPC encrypt a user’s private key and split it across several different parties – typically some combination of a wallet user, a wallet provider, and a trusted third party. In theory, no single one of these entities can unlock the wallet without help from the others.
According to Fireblocks, the BitForge vulnerabilities would have “allowed a hacker to extract the full private key if they were able to compromise only one device,” undermining the whole “multi-party” aspect of MPC.
How it worked.
Fireblocks outlined technical details of the BitForge vulnerabilities in a set of technical reports released on Wednesday.
Generally, for an attacker to take advantage of the BitForge vulnerabilities, they would need to compromise the device of a wallet user or break into the internal systems of someone else with a piece of the user’s encrypted private key – either the wallet service or one of those third-party custodians.
The steps from...
https://www.coindesk.com/tech/2023/08/09/fireblocks-discloses-zero-day-vulnerabilities-impacting-leading-mpc-wallets/
#crypto #bitcoin #ethereum #cryptocurrency #news #blockchain #litecoin #cryptonews #cryptonewstoday #cryptoworld #cryptoworlddaily #fireblocks #fireblocksnews #fireblocksnewstoday #security #securitynews #securitynewstoday #wallet #walletnews #walletnewstoday #mpc #mpcnews #mpcnewstoday #multipartycomputation #multipartycomputationnews #crypto
***NOT FINANCIAL, LEGAL, OR TAX ADVICE! JUST OPINION! I AM NOT AN EXPERT! I DO NOT GUARANTEE A PARTICULAR OUTCOME I HAVE NO INSIDE KNOWLEDGE! YOU NEED TO DO YOUR OWN RESEARCH AND MAKE YOUR OWN DECISIONS! THIS IS JUST ENTERTAINMENT!
This information is what was found publicly on the internet. This information could’ve been doctored or misrepresented by the internet. All information is meant for public awareness and is public domain. This information is not intended to slander harm or defame any of the actors involved but to show what was said through their social media accounts. Please take this information and do your own research.
bitcoin, blockchain, crypto, cryptocurrency, altcoin, investment, ethereum, bitcoin crash, xrp, cardano, ripple