[ad_1]
As the cryptocurrency industry continues to grow and develop, so does its potential risks and vulnerabilities. To stay ahead of the curve, many crypto companies are taking proactive steps to avoid exploits on their platforms. From implementing strong security measures to conducting regular audits, these companies are committed to ensuring the safety and security of their users. Recently, BitGo, a popular cryptocurrency wallet, has patched a critical vulnerability that could potentially expose retail and institutional users’ private keys.
Fireblocks Became Messiah for Bitgo
In December 2022, the cryptographic research team at Fireblocks discovered a significant vulnerability in BitGo’s Threshold Signature Scheme (TSS) wallet. This flaw has the potential to expose the private keys of exchanges, banks, businesses, and platform users, and Fireblock has named it the BitGo Zero Proof Vulnerability.
The vulnerability turned out to be particularly worrying because an attacker could extract the private key in less than a minute using only a small amount of JavaScript code. As a result, BitGo took swift action and suspended the vulnerable service on December 10, 2022. A patch was released in February 2023, and BitGo required a client-side update to the latest version before March 17 to address the issue.
The Fireblocks team revealed how they discovered the exploit by using a free BitGo account on the mainnet. By identifying the missing components of the required no-knowledge proof in BitGo’s TSS ECDSA wallet protocol, teams can expose private keys through direct attacks.
To mitigate the possibility of a single point of attack, industry standard enterprise-grade cryptocurrency asset platforms employ multi-party-computation (MPC/TSS) or multi-signature technologies. This involves distributing private keys among multiple parties to ensure security controls if one party is compromised. This approach minimizes the risks associated with holding cryptocurrency assets and helps avoid potential exploitation.
Crypto Market Could Witness Another Exploitation
Fireblocks shows that internal and external attackers can gain full access to private keys through two methods.
First, a compromised client-side user can initiate a transaction to obtain a portion of the private key stored in the BitGo system. BitGo will then perform signing computations and share information that leaks BitGo key fragments, potentially exposing the entire private key. Tim said:
“Attackers can now reconstruct full private keys, load them on external wallets and withdraw funds immediately or at a later stage.”
The second scenario explores possible attacks if BitGo is compromised. In this scenario, the attacker would wait for the customer to initiate a transaction and respond with a malicious value. This value will be used to sign transactions using the customer key shard. By exploiting the response, the attacker will expose the user’s key shard and combine it with the BitGo key shard to gain control of the wallet.
Fireblocks advises users to create a new wallet and transfer funds from BitGo’s ECDSA TSS wallet prior to the patch, although no attacks have been made via this method.
[ad_2]
Source link