BitGo, a cryptocurrency wallet service provider, patched a vulnerability identified in its recently released Ethereum and ERC-20 Threshold Signature Scheme (TSS) wallets. An initial announcement of the ETH TSS hot wallets was made on Oct. 31, 2022, with the promise of lower gas fees for users. BitGo developers on Github conveyed an update on Dec. 9, 2022, noting that the service did not have full support for third-party verification of key shares and signature shares.
Blockchain infrastructure company Fireblocks claimed that they had identified and notified BitGo of the vulnerability in December 2022. Fireblocks’ press release said that the vulnerability could have exposed the private keys of exchanges, banks, businesses, and users of the platform.
However, BitGo has since denied these claims by Fireblocks via a blog post, highlighting that its own developer team had already identified the lack of third-party verification, and it was on its to-do list as indicated in the GitHub documentation. In a message to Cryptopolitan clarifying the issue, the wallet service provider emphasized that user funds or private keys were never at risk of being compromised or disclosed through the vulnerability.
BitGo dismisses Fireblock’s disclosure
Cryptopolitan understands that BitGo clients were not actively using the MPC wallet type to store cryptocurrency assets at the time the vulnerability was discovered. However, 20 developers, including BitGo employees and contributors, had access to the wallet in early access, and Fireblocks engineers were able to carry out testing due to the open-source nature of BitGo’s core wallet code.
BitGo had previously disclosed a lack of third-party verification of key and signature shares last year, but the company’s response to Fireblocks’ claims was less than complimentary. In the blog post, BitGo referred to Fireblocks as a “competitor” attempting to turn a “known gap into a publicity stunt.”
Fireblocks claimed that the vulnerability would allow potential attackers to quickly extract a private key using a small amount of JavaScript code. The company said they identified the exploit using a free BitGo account on mainnet and revealed that a missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.
BitGo refuted these claims saying they had suspended the vulnerable service on December 10, 2022, and released a patch in February 2023 that required client-side updates to the latest version by March 17. They revealed that only early-access wallet was affected— which none of its clients are presently using.
Industry-standard enterprise-grade cryptocurrency asset platforms make use of either MPC or multi-signature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties to ensure security controls if one party is compromised.
The crypto industry has been faced with lots of hacks. Cryptopolitan recently revealed the hack on Euler Finance that resulted in the loss of huge funds. In August 2022, over $8 million was stolen from more than 7,000 wallets on the Solana blockchain. Meanwhile, a separate hack of MyAlgo wallet service on the Algorand network saw more than $9 million being siphoned off from numerous well-known wallets.
