Fireblocks Uncovers ‘BitForge’ Vulnerabilities Posing Threat to Major MPC Wallets

Binance Coinbase Wallet
Last updated:
Author
Ruholamin Haqshanas
Author Categories
About Author

Ruholamin Haqshanas is a contributing crypto writer for CryptoNews. He is a crypto and finance journalist with over four years of experience. Ruholamin has been featured in several high-profile crypto...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Source: AdobeStock / Sergey Nivens

Crypto infrastructure company Fireblocks has identified a set of vulnerabilities known as “BitForge” that pose a threat to popular crypto wallets that use multi-party computation (MPC) technology. 

These vulnerabilities were classified as “zero-day,” meaning they were unknown to the developers of the affected software before Fireblocks disclosed them, the company said in a Wednesday press release

Major companies such as CoinbaseZenGo, and Binance have worked with Fireblocks to address the vulnerabilities and prevent potential exploits. 

In the announcement, Fireblocks said the attackers could have used the vulnerabilities to drain funds from the wallets of “millions of retail and institutional customers in seconds, with no knowledge to the user or vendor.”

Generally, to exploit these vulnerabilities, an attacker would need to compromise a wallet user’s device or break into the internal systems of the wallet service or a third-party custodian with access to a piece of the encrypted private key. 

The specific steps depended on the wallet being used.

Fireblocks has also identified other teams that might be impacted and has reached out to them through the industry-standard 90-day responsible disclosure process.

Fireblocks CEO Michael Shaulov said that although the vulnerabilities could have been exploited, the complexity of the attacks made it unlikely that they were discovered by malicious actors before Fireblocks disclosed them.

BitForge Vulnerability Undermines Security of MPC Wallets

While the vulnerabilities may have been patched in major wallets, the incident raises concerns about the safety of supposedly ultra-safe multi-party computation (MPC) wallets. 

MPC technology in crypto wallets was designed to eliminate single points of failure by splitting a user’s private key across multiple parties, such as the wallet user, the wallet provider, and a trusted third party. 

No single entity can unlock the wallet without assistance from the others. 

However, the BitForge vulnerabilities would have allowed a hacker to extract the full private key if they compromised just one device, undermining the multi-party aspect of MPC.

Coinbase stated that its user-facing wallet service, Coinbase Wallet, was not affected, but its Wallet-as-a-Service (WaaS) offering was technically vulnerable before the company implemented a fix. 

Coinbase claimed that the vulnerabilities discovered by Fireblocks would have been extremely difficult to exploit in its case, as it would require a malicious server within Coinbase’s infrastructure to trick users into initiating numerous authenticated signing requests.

“While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation,” Jeff Lunglhofer, chief information security officer at Coinbase, said. 

Likewise, Binance CEO Changpeng Zhao has revealed that the issue “was present in the TSS Library Binance open-sourced,” which has been fixed. 

 

More Articles

Features
Linea Airdrop: Will the Token Fail or Breathe Life into L2s?
Olga Primakova
Olga Primakova
2025-02-10 16:32:37
Blockchain News
Crypto Mixers Used Less By Ransomware Criminals, AI Agents Pose New Threat
Rachel Wolfson
Rachel Wolfson
2025-02-10 16:25:01
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors