The Fireblocks cryptography research team has uncovered BitForge – a series of zero-day vulnerabilities in some of the most widely adopted implementations of multi-party computation (MPC) protocols, including GG-18, GG-20, and Lindell17.
Multi-party computation remains the industry standard for wallet security, trusted and relied upon by countless institutions and retail users across the field. In our ongoing effort to advance MPC security in the field of cryptography, the Fireblocks research team analyzed dozens of publicly available MPC protocols and wallet providers. In doing so, the team uncovered zero-day vulnerabilities in implementations used by more than 15 digital asset wallet providers, blockchains, and open-source projects, that would allow an attacker with privileged access to drain funds from wallets. In some implementations, the attack will only take seconds, with no knowledge to the user or vendor.
With the vast amount of closed implementations, we recommend that businesses check with their providers directly or visit the BitForge Status Checker to learn more.
BitForge Vulnerability Overview:
The BitForge vulnerabilities, if left unremedied, would enable attackers to exploit a newly discovered flaw in the GG18 and GG20 protocols by exfiltrating the full private key due to a missing zero-knowledge proof. The Lindell17 protocol vulnerability stems from wallet providers’ deviating from the academic paper, creating a backdoor for attackers to expose part of the private key when signing fails. The exploits were validated on major open-source implementations, and a working POC was built on the open libraries.
The MPC-CMP and MPC-CMPGG protocols implemented by Fireblocks are not affected by the BitForge vulnerabilities as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes. In addition, Fireblocks adopts a multi-layer security approach by combining hardware security and MPC to reduce the attack surface and the feasibility of real-world exploits.
GG-18 and GG-20
The GG-18 and GG-20 protocols are widely adopted by MPC wallet providers in the ecosystem. In 2020, the GG protocols were updated to patch a vulnerability, but these modifications created an additional vulnerability.
The severity of the vulnerability depends on a wallet provider’s specific implementation of the GG protocols. Some implementations are vulnerable to key extraction in 16 signatures, while others could require as many as 1 billion.
The vulnerability in these protocols was found at the pseudocode level, and all vendors implementing the protocols should be considered vulnerable. The vulnerability can be exploited to exfiltrate the key. Fireblocks recommends all providers implement the required ZK proofs. Read the GG18/20 technical blog for a complete overview.
Lindell17
The Lindell17 vulnerability originates from implementations deviating from the specification of the academic paper and mishandling failed signatures. The vulnerability allows an attacker to exploit the party that finalizes the signing process, either the wallet provider or user, to exfiltrate the key after approximately 200 signature requests. The vulnerability has been proven practical and validated on popular open-source libraries and some real-world systems. Read the Lindell17 technical blog for a complete overview.
Responsible Disclosure
As part of the 90-day responsible disclosure process, the Fireblocks team documented and verified its findings and prepared and delivered a responsible disclosure message and plan for those impacted by BitForge.
The cryptography community responded positively, with multiple wallet providers fixing their implementations. Of the wallet providers Fireblocks worked with, Coinbase WaaS and Zengo stood out as the best-in-class at managing and resolving the issues promptly, ensuring their users were well-protected.
We’d like to thank the Fireblocks team for their responsible disclosure: This is exactly what proactive security collaboration looks like. The issue was promptly addressed, and no user funds were affected. This highlights the power of our open-source MPC cryptographic libraries, and we look forward to continuing to contribute to strengthening the cryptographic security of the entire ecosystem.
Crowdsourced Testing
To proactively encourage the improvement of our MPC implementation, Fireblocks has established a bug bounty on HackerOne. We will continue leveraging external expertise and crowdsourced security testing to identify and test potential vulnerabilities. Visit our bug bounty page for more details.
Stay tuned to the Fireblogs for ongoing updates related to digital asset security, and visit the BitForge Status Checker to find out if BitForge may have impacted a provider you use.
