Vulnerabilities threatening funds on exchanges like Binance, Coinbase revealed – South China Morning Post
In a statement, the company said the vulnerabilities were made public following an industry-standard “90-day disclosure period”. US-based Coinbase, which had the issue in its wallet-as-a-service cloud offering, and Israeli wallet operator ZenGo told Fireblocks they had resolved the issue.
“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor,” Fireblocks said.
Other affected exchanges were not named to avoid damaging their credibility in case they have deployed or are working to deploy a fix, Fireblocks added.
03:09
US company plans to use bitcoin mining to clean up coal waste
BitForge affects what are called multiparty computation protocols (MPCs), which split private keys into multiple parts distributed across different devices to limit the chances of exposing the full key. It theoretically provides more security, but new vulnerabilities uncovered for some MPC implementations would allow an attacker to see the full key after 16 transactions, which could take place in a matter of seconds for highly used wallets, according to Fireblocks.
According to the Fireblocks report on BitForge, the vulnerabilities could be exploited to give a cybercriminal the ability to drain an entire wallet of its funds, if they were able to get access to one user’s private key.
“The way [BitForge could be] exploited, it’s quite easy and follows the way that most attacks happen,” Fireblocks CEO Michael Shaulov told the Post. “Essentially, what you need is to infect one user … with malware.”
Malware can be used to infect a user’s system and is often delivered by cyber criminals through phishing, a method in which deceptive correspondence is sent, usually through email, to trick users into installing malicious code or revealing personal information.
While cryptocurrency-related crimes were down 65 per cent to US$3.3 billion in the first half of this year compared with 2022, ransomware, a type of cryptocurrency crime that utilises malware, has rebounded, according to data from industry intelligence firm Chainalysis.
In a typical ransomware attack, cybercriminals will use malware to gain access to and encrypt a victim’s personal data, systems or accounts and then ransom it back for payment in cryptocurrency. Such attacks are currently on track to reach thefts of nearly US$900 million this year, which would mark the biggest year for such attacks since 2021’s US$940 million.
Governments globally have long voiced cybersecurity concerns regarding digital assets and cryptocurrency exchanges. As part of efforts to address record-breaking rates of cryptocurrency lost to crime and insolvency last year, regulators have begun stepping up efforts to bring digital assets and their providers under regulatory oversight.
As of June, cryptocurrency exchanges in Hong Kong must seek a licence from the Securities and Futures Commission (SFC) to serve customers in the city, which requires meeting a range of standards in areas of cybersecurity, anti-money-laundering (AML), private key management, internal audits and controls.
Still, the SFC, the city’s top financial regulator, has previously stated it is open to allowing licensed virtual-asset trading platforms to adopt different custody solutions as the industry reaches a consensus.
Cybersecurity and custody issues are expected to remain a concern in the rapidly evolving digital-asset space where new technologies are frequently probed by criminals looking for vulnerabilities, such as BitForge, to exploit.
“While [MPC] is mathematically proven and sound, it is the quality of the implementation of these mathematical functions where bugs can occur, leading to attack angles,” said Donald Day, chief operating officer at VDX, a company seeking to set up a regulated cryptocurrency exchange in Hong Kong.
“MPC implementations are still very new, and have not yet been exposed to the same rigorous testing as [other options],” Day said, adding this is why the SFC has taken a cautious approach to asset custody.
According to Fireblocks, other wallet providers may be vulnerable to BitForge, but the company said it could not determine precisely how many used these MPC implementations.
“While we are encouraged to see that MPC is now ubiquitous within the digital-asset industry, it is evident from our findings – and our subsequent disclosure process – that not all MPC developers and teams are created equal,” said Fireblocks’ chief technology officer and co-founder, Pavel Berengoltz.