Fireblocks, an enterprise-focused crypto infrastructure firm, has uncovered a set of vulnerabilities – referred to as “BitForge” – impacting a variety of crypto wallets that use multi-party computation (MPC) technology. The firm has classified BitForge as a “zero-day” – meaning the vulnerabilities hadn’t been discovered by developers of the affected software prior to disclosure from Fireblocks. Major companies such as Coinbase, ZenGo, and Binance have already worked with Fireblocks to remediate their exposure to potential exploits.
The episode raises questions about the safety of MPC wallets. According to Fireblocks, “If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.” Fireblocks CEO Michael Shaulov believes the complexity of the vulnerabilities made them difficult to discover in advance of the disclosure.
MPC wallets encrypt a user’s private key and split it across several different parties – typically some combination of a wallet user, a wallet provider, and a trusted third party. The BitForge vulnerabilities would have “allowed a hacker to extract the full private key if they were able to compromise only one device,” undermining the whole “multi-party” aspect of MPC.
Coinbase says its main user-facing wallet service, Coinbase Wallet, was not impacted by the bugs, whereas Coinbase Wallet-as-a-Service (WaaS) – which companies can use to power their own MPC wallets – was technically vulnerable before Coinbase implemented a fix. “It is extremely unlikely that any customer would be willing to go through that tedious and manual process hundreds of times before contacting us for support,” Coinbase said.
Fireblocks has worked to identify other teams that might be impacted and has reached out to them in accordance with the “industry-standard 90-day responsible disclosure process.” If MPC wallet users want to know whether they might be using a vulnerable wallet, Shaulov said they can reach out to Fireblocks or fill out a form that will be posted to its website.