Fireblocks reveals a significant flaw affecting cryptocurrency wallets

Since then, the vulnerabilities affecting Coinbase, Binance, and Zengo have been patched, and Fireblocks has reached out to more than 12 others that are still vulnerable.

According to digital asset infrastructure company Fireblocks, over 15 of the most popular crypto wallet providers and initiatives have vulnerabilities that could lead to the loss of millions of crypto wallets.

In a press release dated August 9, Fireblocks stated that the BitForge vulnerabilities affect wallets utilizing multi-party computation (MPC) technology, which enables multiple parties to control and manage cryptocurrency holdings.

The identified issues were disclosed as "zero-day" vulnerabilities, indicating the defects had not been discovered by the projects prior to their disclosure.

The company disclosed that Coinbase, Zengo, and Binance were among the wallet providers affected by the BitForge vulnerabilities. Following an industry-standard "90-day disclosure period" from Fireblocks, the identified issues have been resolved by the three companies.

Coinbase's chief information security officer, Jeff Lunglhofer, issued a statement in which he commended Fireblocks for identifying and responsibly disclosing the issue, adding that Coinbase clients and funds were never at risk. Tal Be'ery, chief technology officer of Zengo, stated that the issue was quickly resolved and no user funds were compromised.

Fireblocks stated that it has identified other companies that may be involved in similar security issues and has reached out to them.

The CEO of Binance, Changpeng Zhao, also thanked Fireblocks for discovering the flaw, as the cryptocurrency exchange was able to fix the problems before any harm could occur.

MPC wallets encrypt the private key of a user and distribute it to multiple parties, typically the wallet proprietor, the wallet provider, and a third party. Theoretically, none of these entities should be able to open the wallet without communicating with the others first.

Nevertheless, according to Fireblocks' technical assessments on the BitForge vulnerabilities, the flaws would have allowed hackers to "extract the full private key if they were able to compromise only one device."

Pavel Berengoltz, co-founder and chief technology officer of Fireblocks, stated, "While we are encouraged to see that MPC is now ubiquitous within the digital asset industry, it is evident from our findings — and our subsequent disclosure process — that not all MPC developers and teams are created equal."

"Companies leveraging Web3 technology should work closely with security experts with the know-how and resources to stay ahead of and mitigate vulnerabilities," he added.