Multiple zero days found affecting crypto platforms
Researchers have discovered multiple zero days affecting major cryptocurrency platforms like Coinbase and Binance.
Cybersecurity experts at Fireblocks said they discovered vulnerabilities – dubbed “BitForge” – affecting some of the most used cryptographic multi-party computation (MPC) protocols.
MPC is a field of cryptography and is one of the main technologies used by cryptocurrency wallet providers to secure coins and other assets. It essentially distributes computation to multiple parties so that no one entity can see the other’s data.
Nikolaos Makriyannis, cryptography research lead at Fireblocks, told a crowd at the Black Hat security conference in Las Vegas on Wednesday that MPC is the “crown jewel of modern cryptography.”
Pavel Berengoltz, co-founder and chief technology officer at Fireblocks, said it was encouraging that MPC is now ubiquitous in the crypto industry, his researchers found that “not all MPC developers and teams are created equal.”
“Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023,” he said.
Three of the most popular MPC protocols – GG-18, GG-20 and Lindell 17 – are affected by the issues found by Fireblocks.
The researchers explained that if left unremediated, the vulnerabilities would allow hackers to “drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.”
Those affected include multiple wallet providers like Coinbase, Zengo, and Binance. Binance did not respond to requests for comment but executives from Coinbase and Zengo confirmed that the issues have been remediated.
"While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation,” said Jeff Lunglhofer, Chief Information Security Officer at Coinbase.
Tal Be'ery, co-founder of Zengo, similarly said the issue was promptly addressed and no user funds were affected.
In their Black Hat presentation, Fireblocks researchers noted that in addition to the big players in the crypto industry, dozens of other providers of wallets were affected.
Fireblocks created a website for platforms to check whether they are exposed to the BitForge issues.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.