Fireblocks said the vulnerabilities affecting Coinbase, Binance, and Zengo have since been fixed and has reached out to more than 12 others still at risk.
Over 15 widely-used crypto wallet providers and projects have gaping vulnerabilities that could potentially see millions of crypto wallets drained, according to digital asset infrastructure firm Fireblocks.
In an Aug. 9 press release, Fireblocks said the series of vulnerabilities, dubbed BitForge, are affecting wallets using multi-party computation (MPC) technology, which allows for multiple parties to control and manage cryptocurrency holdings.
1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023
The identified issues were disclosed as “zero day” vulnerabilities — meaning that the flaws had not previously been identified by the projects.
“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.”
The firm disclosed that the BitForge vulnerabilities affected many of the top wallet providers, including Coinbase, Zengo and Binance. Following an industry-standard “90 day disclosure period” from Fireblocks, the three firms have since resolved the identified issues.
In a statement, Coinbase chief information security officer Jeff Lunglhofer thanked Fireblocks for identifying and responsibly disclosing the issue, adding that Coinbase customers and funds were never at risk. Zengo CTO Tal Be’ery noted that the issue was promptly fixed and no user funds were affected.
3/ We want to extend our gratitude to the researchers at Fireblocks for identifying this issue, conducting an ethical disclosure, and helping to improve the security of the ecosystem.
— Coinbase Cloud ️ (@CoinbaseCloud) August 9, 2023
Fireblocks said it has worked to identify other firms that may be implicated in similar security concerns and have reached out to them.
MPC wallets encrypt a user’s private key and share it between several parties — typically comprised of the wallet owner, a wallet provider, and another third party. Theoretically, no one of these entities should be able to unlock the wallet without first communicating with the others.
Related: Tel Aviv Stock Exchange to offer crypto services via Fireblocks pact
However, according to Fireblocks’ technical reports on the BitForge vulnerabilities, the vulnerabilities would have allowed hackers to “extract the full private key if they were able to compromise only one device.”
“While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal,” said Fireblocks CTO and co-founder Pavel Berengoltz.
“Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities,” he added.
Deposit risk: What do crypto exchanges really do with your money?