Multiple zero-day vulnerabilities named 'BitForge' in the implementation of widely used cryptographic protocols like GG-18, GG-20, and Lindell 17 affected popular cryptocurrency wallet providers, including Coinbase, ZenGo, Binance, and many more.
These vulnerabilities could allow attackers to steal digital assets stored in impacted wallets in seconds without requiring interaction with the user or the vendor.
The flaws were discovered by the Fireblocks Cryptography Research Team in May 2023, which collectively named them 'BitForge.'
Today, the analysts publicly disclosed BitForge in the "Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Leading Crypto Wallets" BlackHat presentation, by which time Coinbase and ZenGo have applied fixes to address the problem.
However, Fireblocks says that Binance and dozens of other wallet providers remain vulnerable to BitForge, with Fireblocks Creating a status checker for projects to check if they're exposed to risks due to improper multi-part computation (MPC) protocol implementations.
The BitForge flaw
The first flaw (CVE-2023-33241) discovered by Fireblock impacts the GG18 and GG20 threshold signature schemes (TSS), which are considered pioneering and also foundational for the MPC wallet industry, allowing multiple parties to generate keys and co-sign transactions.
Fireblock's analysts discovered that depending on the implementation parameters, it is possible for an attacker to send a specially crafted message and extract key shards in 16-bit chunks, retrieving the entire private key from the wallet in 16 repetitions.
The flaw stems from a lack of checking on the attacker's Paillier modulus (N) and the status of its encryption based on the existence of small factors or biprimes.
"If exploited, the vulnerability allows a threat actor interacting with the signatories in the TSS protocol to steal their secret shards and ultimately obtain the master secret key," reads Fireblock's report.
"The severity of the vulnerability depends on the implementation parameters, so different parameter choices give rise to different attacks with varying degrees of effort/resources required to extract the full key."
The vulnerability discovered in the Lindell17 2PC protocol (CVE-2023-33242) is of similar nature, allowing an attacker to extract the entire private key after approximately 200 signature attempts.
The flaw lies in the implementation of the 2PC protocol rather than the protocol itself and manifests through a mishandling of aborts by wallets, which forces them to continue signing operations that inadvertently expose bits of the private key.
"The attack takes advantage of a mishandling of aborts by wallets using the 2PC protocol given an "impossible choice" between aborting operations, which is an unreasonable approach given funds might be locked in the wallet, or to continue signing and sacrificing additional bits of the key with every signature."
by Fireblock
The attack that exploits this flaw is "asymmetric," meaning it can be exploited by corrupting the client or the server.
In the first scenario, the attacker corrupts the client to make it send commands to the server on their behalf, which will reveal a bit of the server's secret key.
Fireblock says 256 such attempts are required to gather enough data to reconstruct the server's entire secret share.
However, since there's no limit in place, the attacker can poke the server with many quickly succeeding requests, so the attack can be carried out in a short time.
The second scenario targets the secret key of the client, using a compromised server to retrieve it via specially crafted messages. Again, 256 requests are required for complete key extraction.
The analysts have also published two proof-of-concept (PoC) exploits for each of the protocols on GitHub.
Coinbase says that they fixed the flaws in its Wallet as a Service (WaaS) solution after the flaws were disclosed, thanking the researchers for their responsible disclosure.
"We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation," said Jeff Lunglhofer, Chief Information Security Officer at Coinbase. "Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology."