As the cryptocurrency industry continues to grow and evolve, so do the potential risks and vulnerabilities. In order to stay ahead of the curve, many crypto companies are taking proactive steps to prevent exploits on their platforms. From implementing robust security measures to performing regular audits, these companies are committed to ensuring the safety and security of their users. Recently, BitGo, a popular cryptocurrency wallet, recently patched a crucial vulnerability that could have potentially exposed the private keys of retail and institutional users.
Fireblocks becomes Bitgo’s messiah
In December 2022, the Fireblocks crypto research team discovered a significant vulnerability in BitGo’s Threshold Signature Scheme (TSS) wallets. This flaw had the potential to expose the private keys of exchanges, banks, companies, and platform users, and Fireblocks named it BitGo Zero Proof Vulnerability.
The vulnerability was particularly alarming because attackers could extract a private key in less than a minute using only a small amount of JavaScript code. As a result, BitGo took swift action and suspended the vulnerable service on December 10, 2022. A patch was released in February 2023 and BitGo demanded client-side updates to the latest version. before March 17 to solve the problem.
The Fireblocks team revealed how they discovered the exploit using a free BitGo account on the mainnet. By identifying a component missing mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol, the team was able to expose the private key through a simple attack.
To mitigate the possibility of a single point of attack, standard enterprise-class cryptocurrency asset platforms use either multi-party computing technology (MPC/TSS) or multi-signature technology. It involves the distribution of a private key between multiple parties to provide security checks in case one party is compromised. This approach minimizes the risks associated with holding cryptocurrency assets and helps avoid potential exploits.
The Crypto Market May Have Witnessed Another Exploit
Fireblocks demonstrated that internal and external attackers could gain full access to a private key through two methods.
First, a compromised client-side user could initiate a transaction to obtain part of the private key held in BitGo’s system. BitGo would then perform the signature calculation and share the information that leaks the BitGo key fragment, potentially exposing the entire private key. The team said:
“The attacker can now reconstruct the full private key, load it into an external wallet, and withdraw the funds immediately or later.”
The second scenario explores the possibility of an attack in the event that BitGo is compromised. In this scenario, the attacker would wait for a client to initiate a transaction and respond with a malicious value. This value would be used to sign the transaction using the customer’s key fragment. By exploiting the response, the attacker would expose the user’s key fragment and combine it with BitGo’s key fragment to gain control of the wallet.
Fireblocks advises users to create new wallets and transfer funds from ECDSA TSS BitGo wallets before the patch, even though no attacks were performed by this method.