No, BitForge only impacts MPC wallet providers that utilize the GG-18, GG-20, and Lindell17 protocols.

Even if your provider is using another MPC protocol, it is important to ensure they undergo regular code audits and have the cryptography resources to immediately patch security vulnerabilities.

The security and concept of MPC remains intact. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself. 

When security flaws and vulnerabilities are found, every software and cryptographic protocol must be thoroughly audited and tested, and teams must have a plan in place to address security issues in a timely fashion. 

The BitForge vulnerability does not reflect the security of MPC as a technology. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself. 

MPC remains the leading security technology to protect private keys during generation, signing, and storage. This is because MPC removes the concept of a single private key; such a key is never gathered as a whole, neither during the first creation of the wallet nor during the actual signature.

At Fireblocks, we understand that no security technology alone is unbreakable. As we’ve seen over the years, the best defense against cybercriminals is a multilayered one that can provide redundancy in the event that one of the security controls fails. That’s why Fireblocks utilizes a multi-layer security approach to protect all attack surfaces and provide redundancy in the event that one of the security controls fails. Layers of the strongest software and hardware defenses create a truly secure environment for storing, transferring, and issuing digital assets.

Not all MPC protocols and implementations are created equal. Proficiency in implementation and the ability to manage and resolve vulnerability issues to protect users vary widely, as does the security level of different MPC implementations. 

It takes a team of cryptography experts to bring any cryptographic protocol from the academic research paper to production implementation. In the case of Lindell17, wallet providers deviated from the academic paper which created a backdoor for attackers to expose the private key when signing fails. For GG18 and GG20, there was a missing zero-knowledge proof in the academic paper that created a vulnerability in the implementation. 

The BitForge vulnerability demonstrates that even though a wallet provider may use MPC, it is up to their cryptography and security experts to ensure proper implementation and constantly monitor for the latest attack vectors.

No, it is not recommended that you move to multi-sig. From a security standpoint, there’s no reason to switch to multi-sig as the weaknesses of multi-sig (not protocol agnostic, operationally inflexible) still stand.

For more on the differences between multi-sig and MPC, read our blog post on the topic.

What makes an excellent cryptography team is its ability to understand, assess risk, and fix potential vulnerabilities promptly once identified. Cryptography teams should stay updated on the latest cryptography developments and evolving attack vectors impacting digital assets. When notified of a security vulnerability they should have an action plan to address the security challenges in a reasonable timeframe.

Some Fireblocks customers use more than one custody technology provider for a multitude of reasons, such as to meet a regulatory requirement to hold a portion of assets with a qualified custodian. It is our responsibility to assess the security of our customers’ systems, and that includes understanding areas in which they may be vulnerable, so that we may assist with risk mitigation to help fortify our customers’ security posture. 

With security research at our core, Fireblocks constantly advances our security practices to protect customers from emerging attack vectors. Our research team sits at the center of the cryptography community, frequently collaborating with academic researchers and contributing to the latest developments in the space.

As far as we know, the vulnerabilities have not been exploited. However, if an attacker was stealing a private key, it would be impossible to know until they move funds to a new wallet.

As part of the responsible disclosure process, Fireblocks provided the industry-standard 90-day notice to all identified providers before publishing the findings from the BitForge vulnerabilities.

The protocols implemented by Fireblocks – MPC-CMP and MPC-CMPGG – are not impacted by BitForge. They are not vulnerable as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes.

In the blockchain industry, we’re all building towards the same goals. With some of the recent hacks, the positive takeaway was that if you’re in a community that is banded together toward a common goal, it makes a huge difference.

It’s part of the DNA of the industry to work together to be stronger out of the public eye rather than calling companies out publicly and harming their credibility before giving them the chance to make any fixes.

Instead, we recommend that users either check with their providers directly or utilize our BitForge Status Tracker to find out whether they are currently exposed to an impacted MPC implementation.

Fireblocks’ MPC implementations are open source under limited license (read more on our blog: Fireblocks’ MPC-CMP code is Open-Source), and have been audited by multiple top-tier firms, most recently by NCC Group.