Crypto wallet BitGo fixes vulnerabilities allowing malicious actors to steal the private keys of its clients.
BitGo, the provider of institutional-grade, multi-coin cryptocurrency wallet, has fixed a security vulnerability that posed a risk to the private keys of both retail and institutional customers.
Fireblocks, a cryptography research team, discovered the critical security flaw in BitGo's wallet and notified the company in December 2022.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
How to Store NFTs in 2023 (3 Most Secure Ways Explained)
The vulnerability was linked to BitGo Threshold Signature Scheme (TSS) wallets, which threatened to expose the private keys of exchanges, banks, and businesses operating on the platform.
In its report, Fireblocks revealed that vulnerability would allow malicious actors to bypass "all of BitGo security features."
The vulnerability allows an attacker to extract the full ECDSA private key from BitGo Ethereum TSS wallets using a single signature and a few seconds of computation, bypassing all of BitGo security features.
Dubbed the BitGo Zero Proof Vulnerability, the issue could have enabled potential malicious actors to extract a private key in less than a minute using a small JavaScript code.
As a response to the vulnerability, BitGo suspended the affected service on December 10th. In February 2023, BitGo fixed the issue and urged users to update their client-side software to the latest version by March 17th.
On top of that, Fireblockcs noted that the vulnerability can be exploited by malicious actors "with no prior secret material knowledge."
The attack is symmetric and can be executed by both parties in the interaction or by a middleman with no prior secret material knowledge, exposing the key material to many different internal and external attackers.
Fireblocks detailed their discovery process, which involved using a free BitGo account on the mainnet. The team found that BitGo's ECDSA TSS wallet protocol was missing an essential part of mandatory zero-knowledge proofs, allowing them to expose the private key through a simple attack.