Fireblocks has revealed a critical vulnerability in BitGo Ethereum wallets, which could have allowed hackers to gain access to users’ private keys. The cloud-based platform found the security flaw during an audit of BitGo’s wallet infrastructure in March. The vulnerability involves a race condition in BitGo’s multi-signature implementation, which could enable an attacker to obtain access to a user’s wallet if they can manipulate the timing of specific transactions. Fireblocks notified BitGo of the issue, and it has since been resolved. The disclosure underscores the importance of regular auditing of cryptocurrency wallets to identify and fix vulnerabilities before they can be exploited.
BitGo has temporarily suspended its Ethereum wallets that use the company’s Threshold Signature Scheme (TSS), following reports of a vulnerability in the BitGo TSS wallet protocol. The vulnerability allows attackers to extract a full private key using just a single signature, bypassing all of BitGo’s security features. Fireblocks, a blockchain infrastructure provider’s cryptography research team, discovered the flaw in early December. BitGo issued a patch update in February and required its clients to update to the latest version by March 17. BitGo has accused Fireblocks of “turning a known gap into a publicity stunt,” and the company is pursuing legal remedies.
Although Fireblocks claimed that it followed a “coordinated disclosure” process, BitGo refuted the claim, saying that the specific MPC wallet in question is in early access and remains unlocked only for 20 developers. BitGo claimed that Fireblocks had mischaracterized the MPC wallet as being in production, “because they tested it on mainnet using the BitGo website (ignoring all warnings about it being early-release).” Bitgo’s Ethereum TSS wallets were first introduced in June 2022, with support for Ethereum wallets added in October.
The vulnerability is a result of the wallet provider failing to follow a well-reviewed cryptographic standard, according to Fireblocks co-founder and CTO Idan Ofrat. While any wallets generated after the patch should be safe, the keys of any BitGo Ethereum TSS wallet generated prior to the update should be considered potentially exposed. Hence, any funds in those wallets should be moved to a secure wallet immediately. Digital asset custodian and security company BitGo is entrusted with securing billions of dollars in user funds, as attacks on the crypto industry continue to accelerate.