Bitforge: 'vulnerabilities uncovered for some MPCs would allow an attacker to see the FULL key after 16 transactions'

Bitforge: 'vulnerabilities uncovered for some MPCs would allow an attacker to see the FULL key after 16 transactions'


Uhumm, so...why isn't this bigger news? I'm going to cut the small talk on this one and highlight the most important findings:

"BitForge affects what are called multiparty computation protocols (MPCs), which split private keys into multiple parts distributed across different devices to limit the chances of exposing the full key...new vulnerabilities uncovered for some MPC implementations would allow an attacker to see the full key after 16 transactions, which could take place in a matter of seconds for highly used wallets."

So apparently Binance and a few others already fixed the vulnerability before it could be exploited and literally crash both exchanges and the entire market."Binance founder and CEO Zhao Changpeng also acknowledged the vulnerability in a tweet on Thursday, saying his exchange, the largest in the world by volume, had resolved the issue and that no user funds were affected."

Nevertheless I was really interested in knowing exactly who or what the weak link(s) were here, so after a little further investigating: "The researchers explained that the BitForge vulnerability affects wallets that implement particular multiparty computation protocols, including GG-18, GG-20 and Lindell 17.....The GG-18 and GG-20 flaw allows an attacker to exfiltrate the full private key because of a missing zero-knowledge proof, which will permit the attacker to take control of the wallet funds and drain it. The Lindell 17 vulnerability comes from wallet providers not following the academic implementation, which created a backdoor for attackers to discover parts of the private key when signing fails, allowing the attacker to piece together the entire key after a large number of failed signings. It takes about 200 failed signature attempts."

So there you have it. I'm not going to pretend I fully understood everything I just read, but regardless you really can't be too careful which exchange/wallet you use. I tried that Bitforge checker Fireblocks put out, but there really isn't much on there (yet). As a matter of fact it as of yet even doesn't have Binance listed as 'secure', or maybe they are the 'anonymous' secure listing under the two visible ones. All three had the Lindel 17 protocol flaw and are now deemed 'secure'. A fourth exchange listed only as 'Abcxzy' has the GG18/20 protocol flaw and is still pending.

5aa030d8c93f3aaae2bada38a77568d664da9846bf714e78a31da675dc44cf7a.png

How do you rate this article?

14



Geo-Political & Economical developments
Geo-Political & Economical developments

Things are almost never as they seem. If you sincerely think that world powers would spend their money and resources in order to just "help" citizens from foreign nations, you might want to ask yourself why they've been neglecting and out right murdering their own citizens for decades. What are their true motives for wanting to fund foreign (terror) groups, start global confrontations and wars? I'll let you in on a little secret; It has NOTHING to do with "human rights" nor "democracy".

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.