attackers

BitGo patches critical vulnerability first discovered by Fireblocks

BitGo has patched a vulnerability that threatened to expose the private keys of retail and institutional users.

Cryptocurrency wallet BitGo has patched a critical vulnerability that could have exposed the private keys of retail and institutional users.

Cryptography research team Fireblocks identified the flaw and notified the BitGo team in December 2022. The vulnerability was related to BitGo Threshold Signature Scheme (TSS) wallets and had the potential to expose the private keys of exchanges, banks, businesses and users of the platform.

The Fireblocks team named the vulnerability the BitGo Zero Proof Vulnerability, which would allow potential attackers to extract a private key in under a minute using a small amount of JavaScript code. BitGo suspended the vulnerable service on Dec. 10 and released a patch in February 2023 that required client-side updates to the latest version by March 17.

The Fireblocks team outlined how it identified the exploit using a free BitGo account on mainnet. A missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.

Related: Euler Finance hacked for over $195M in a flash loan attack

Industry-standard enterprise-grade cryptocurrency asset platforms make use of either multiparty-computation (MPC/TSS) or multisignature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties, to ensure security controls if one party is compromised.

Fireblocks was able to prove that internal or external attackers could gain access to a full private key through two possible means.

A compromised client-side user could initiate a transaction to acquire a portion of the private key held in BitGo’s system. BitGo would then perform the signing computation before sharing information that leaks the BitGo key shard.

“The attacker can now reconstruct the full private key, load it in an external wallet and withdraw the funds immediately or at a later stage.”

The second scenario considered an attack if BitGo was compromised. An attacker would wait for a customer to initiate a transaction, before replying with a malicious value. This is then used to sign the transaction with the customer’s key shard. The attacker can use the response to reveal the user’s key shard, before combining that with BitGo’s key shard to take control of the wallet.

Fireblocks noted that no attacks have been carried out by the identified vector but warned users to consider creating new wallets and moving funds from ECDSA TSS BitGo wallets prior to the patch

Hacks of wallets have been commonplace across the cryptocurrency industry in recent years. In August 2022, over $8 million was drained from over 7,000 Solana-based Slope wallets. Algorand network wallet service MyAlgo was also targeted by a wallet hack that saw over $9 million drained from various high-profile wallets.

Why DeFi should expect more hacks this year: Blockchain security execs

One reason is that “hackers have gotten smarter, gained more experience, and learned how to look for bugs,” according to the founder of a crypto auditing firm.

Decentralized finance (DeFi) investors should buckle themselves up for another big year of exploits and attacks as new projects enter the market and hackers become more sophisticated.

Executives from blockchain security and auditing firms HashEx, Beosin and Apostro were interviewed for Drofa’s “An Overview of DeFi Security In 2022” report, shared exclusively with Cointelegraph.

The executives were asked about the reason behind last year’s significant increase in DeFi hacks, and whether this will continue through 2023.

Tommy Deng, managing director of blockchain security firm Beosin, said while DeFi protocols will continue to strengthen and improve security, he also admitted that “there is no absolute security,” stating:

“As long as there is interest in the crypto market, the number of hackers will not decrease.”

Deng added that many new DeFi projects “don’t go through complete security testing before going live.”

Additionally, a significant amount of projects are now exploring the use of cross-chain bridges, which were a prime target for attackers last year, with $1.4 billion stolen in six exploits.

Deng’s comments mirror those of blockchain security firm CertiK, whictold Cointelegraph on Jan. 3 that it doesn’t “anticipate a respite in exploits, flash loans or exit scams” in the coming year.

In particular, CertiK noted the likelihood of “further attempts from hackers targeting bridges in 2023,” citing the historically high returns from attacks in 2022.

The founder and CEO of crypto auditing firm HashEx, Dmitry Mishunin, said th “hackers have gotten smarter, gained more experience, and learned how to look for bugs.”

“The crypto industry is still relatively new, and everyone is growing with each other, so it’s difficult to get too far ahead of bad actors.”

He added the amount of value in some DeFi projects made the industry “very attractive” to malicious actors and that the number of hacks “is only going to grow going forward.”

Mishuin said these attacks may even spread outside of DeFi, with attackers setting their sights on “crypto exchanges and banks” that enter the market offering “more secure solutions for storing digital assets.”

Related: Crypto’s recovery requires more aggressive solutions to fraud

Smart contract security and auditing firm Apostro co-founder Tim Ismiliaev gave a more hopeful take, however, as he expects the space to “mature over the next five years, and new best practices for securing decentralized finance protocols will emerge.”

Too long; didn’t read

Interestingly, both Mishunin and Deng noted that many of the post-incident reports provided by blockchain security firms often fail to reach their target audience — blockchain developers.

“The people that read such analyses are average investors that are concerned about their money. Actual blockchain developers are too busy coding; they don’t have time to read stuff like that,” said Mishunin.

Meanwhile, Deng said the reports are usually about “event-based vulnerabilities and related recommendations,” so they often don’t help other developers that might be vulnerable to other exploits.

He admitted, however, that reports on “general vulnerabilities” in DeFi “tend to do a good job of ramping up protection.”

“The reentrancy vulnerabilities are now not as common as they used to be.”