Fireblocks Identifies Major Vulnerabilities In MPC Wallets

A series of significant vulnerabilities has been discovered in some of the most widely-used multi-party computation (MPC) protocols, as announced in a press release by MPC wallet company Fireblocks.

Following the 90-day "reponsible disclosure" period, which allows affected platforms to patch the problem without hackers being able to exploit it, Fireblocks has now released further details. Had the issues not been fixed, attackers could have stolen crypto from both retail and institutional customers who used MPC providers (including Coinbase WaaS, Zengo, and Binance), despite the fact that these protocols have a reputation for being extremely secure. A number of academic papers that included flaws have also been updated.

1/ The Fireblocks research team has uncovered BitForge, a set of vulnerabilities in some of the most widely adopted MPC protocols, that allow an attacker to retrieve a private key from a single device. Read on → https://t.co/xo2r9zgCvj pic.twitter.com/7q1nEeVBwO
— Fireblocks (@FireblocksHQ) August 9, 2023

What Is MPC?

Multi-party computation (MPC) is a means of generating wallets and signing transactions using a group of computers, rather than a single, centralized private key.

It differs from multi-sig transactions, which depend on a group of users holding separate keys. A certain number of members of the group need to sign a transaction to execute it (for example, 3-of-5, 5-of-9, etc).

With MPC, the set of devices collectively signs a transaction, off-chain, and no single device holds the key to a wallet. It is not evident which members of the group have participated, thanks to the properties of threshold encryption, which means the signature is the same no matter which parties participate. This makes it dramatically more secure, and private, since only the signed transaction is broadcast to the network. In fact, in some sense the private key to an account doesn't exist at all.

Many Wallets Still Vulnerable

Fireblocks' own wallets are not affected by the vulnerabilities, which they have called "BitForge", because they use Zero Knowledge Proofs to validate secret key material throughout the key generation, signing, and storage processes. Fireblocks also includes hardware security with MPC to decrease the attack surface and make exploits harder.

While major providers like Coinbase and Binance have addressed the problem, many others could still be impacted by the vulnerabilities. Fireblocks has published the BitForge Status Checker to allow projects to learn whether they might be affected.

This issue was present in the TSS Library Binance open-sourced, which has been fixed. Thanks to Fireblocks for uncovering it!

No @Binance user funds affected.

Even MPC custody solutions have risks. Stay #SAFU! 🙏 https://t.co/UneRs7VOj7
— CZ 🔶 Binance (@cz_binance) August 10, 2023

"As decentralized finance and Web3 continue to gain popularity, the need for secure wallet and key management providers is evident," commented Pavel Berengoltz, co-founder and CTO at Fireblocks. "While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings—and our subsequent disclosure process—that not all MPC developers and teams are created equal. Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities. Maintaining and updating core infrastructure technologies, like Web3 wallets, is crucial in preventing thefts and attacks, which amounted to nearly $500 million in the first half of 2023."

Subscribe to our newsletter and follow us on Twitter.