Digital asset infrastructure company Fireblocks has identified a series of critical vulnerabilities, named BitForge, in over 15 popular cryptocurrency wallet providers and projects. These vulnerabilities impact wallets that employ multi-party computation (MPC) technology , which enables multiple parties to manage cryptocurrency holdings collectively . Fireblocks disclosed these issues as "zero-day" vulnerabilities, meaning they hadn't been previously identified by the projects.
If exploited, these vulnerabilities could potentially allow malicious actors to drain funds from millions of retail and institutional customers' wallets within seconds, without detection by users or providers. Fireblocks reported that several prominent wallet providers, including Coinbase, Zengo, and Binance, were affected by the BitForge breach. These companies have addressed the vulnerabilities following the industry-standard "90-day disclosure period."
Coinbase's Chief Information Security Officer Jeff Lunglhofer expressed gratitude for Fireblocks' responsible disclosure and clarified that customers' funds were never at risk. Zengo's CTO Tal Be'ery assured that the issue was quickly resolved, and user funds remained unaffected. Fireblocks has been actively identifying Other companies that might have faced similar security problems and have reached out to them.
Multi-party computation (MPC) wallets encrypt a user's private key and distribute it among multiple parties, such as the wallet owner, the provider, and a third party. In theory, none of these entities can access the wallet without cooperation from the others However, the BitForge vulnerabilities, as outlined in Fireblocks' technical report, could enable hackers to access the full private key by compromising a single device.
Fireblocks' CTO and Co-Founder, Pavel Berengorz, emphasized the importance of working with security experts to mitigate vulnerabilities, particularly for companies utilizing Web3 technologies. While MPC has become widely adopted in the digital asset sector, Fireblocks' finds underscore that not all MPC developers and teams have the same level of expertise and resources to counter these vulnerabilities effectively
