BitForge - Fireblocks Uncovered Vulnerabilities in Over 15 Major MPC Wallets

What is Multi-Party Computation (MPC)?

Multi-Party Computation (MPC) is a methodology of separating private keys into multiple parts. It's similar to Shamir's Secret Sharing (SSS) but in reverse - in SSS, a private key is generated and then split into distributable shards, but in MPC, shards are defined first and come together later to produce a private key signature. A benefit of both SSS and MPC is that they can't be identified on-chain - to observers, it just looks like a single signature.

MPC is often described as an alternative to standard multisignature. Although similar, they approach the challenge of signature aggregation differently:

Comparison to Multi-signature

From a functional point of view, multi-signature wallets, which use M-of-N keys per wallet, are similar to MPC based wallets, which use M-of-N parts of a key for a single signature wallet. The difference is that a multi-signature wallet will make use of distinct signatures generated by distinct private keys to secure the wallet, while MPC uses only creates a single signature regardless of the number of private key parts that participated.

MPC itself is a general methodology/framework, and many different protocol implementations exist.

What happened?

The Fireblocks cryptography research team has uncovered BitForge – a series of zero-day vulnerabilities in some of the most widely adopted implementations of multi-party computation (MPC) protocols, including GG-18, GG-20, and Lindell17.
In our ongoing effort to advance MPC security in the field of cryptography, the Fireblocks research team analyzed dozens of publicly available MPC protocols and wallet providers. In doing so, the team uncovered zero-day vulnerabilities in implementations used by more than 15 digital asset wallet providers, blockchains, and open-source projects, that would allow an attacker with privileged access to drain funds from wallets. In some implementations, the attack will only take seconds, with no knowledge to the user or vendor.

With the vast amount of closed implementations, we recommend that businesses check with their providers directly or visit the BitForge Status Checker to learn more.

The BitForge vulnerabilities, if left unremedied, would enable attackers to exploit a newly discovered flaw in the GG18 and GG20 protocols by exfiltrating the full private key due to a missing zero-knowledge proof. The Lindell17 protocol vulnerability stems from wallet providers’ deviating from the academic paper, creating a backdoor for attackers to expose part of the private key when signing fails. The exploits were validated on major open-source implementations, and a working POC was built on the open libraries.

BitForge FAQ

Does BitForge impact all wallet providers that use MPC?

No, BitForge only impacts MPC wallet providers that utilize the GG-18, GG-20, and Lindell17 protocols.

Even if your provider is using another MPC protocol, it is important to ensure they undergo regular code audits and have the cryptography resources to immediately patch security vulnerabilities.

What does BitForge mean for the security of MPC?

The security and concept of MPC remains intact. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself.

When security flaws and vulnerabilities are found, every software and cryptographic protocol must be thoroughly audited and tested, and teams must have a plan in place to address security issues in a timely fashion.

The BitForge vulnerability does not reflect the security of MPC as a technology. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself.

Why does each wallet provider have a different implementation of the same MPC protocol?

Not all MPC protocols and implementations are created equal. Proficiency in implementation and the ability to manage and resolve vulnerability issues to protect users vary widely, as does the security level of different MPC implementations.

Have the vulnerabilities been exploited and if so, how recently?

As far as we know, the vulnerabilities have not been exploited. However, if an attacker was stealing a private key, it would be impossible to know until they move funds to a new wallet.

As part of the responsible disclosure process, Fireblocks provided the industry-standard 90-day notice to all identified providers before publishing the findings from the BitForge vulnerabilities.

More Resources