Uhumm, so...why isn't this bigger news? I'm going to cut the small talk on this one and highlight the most important findings:
So apparently Binance and a few others already fixed the vulnerability before it could be exploited and literally crash both exchanges and the entire market."Binance founder and CEO Zhao Changpeng also acknowledged the vulnerability in a tweet on Thursday, saying his exchange, the largest in the world by volume, had resolved the issue and that no user funds were affected."
Nevertheless I was really interested in knowing exactly who or what the weak link(s) were here, so after a little further investigating: "The researchers explained that the BitForge vulnerability affects wallets that implement particular multiparty computation protocols, including GG-18, GG-20 and Lindell 17.....The GG-18 and GG-20 flaw allows an attacker to exfiltrate the full private key because of a missing zero-knowledge proof, which will permit the attacker to take control of the wallet funds and drain it. The Lindell 17 vulnerability comes from wallet providers not following the academic implementation, which created a backdoor for attackers to discover parts of the private key when signing fails, allowing the attacker to piece together the entire key after a large number of failed signings. It takes about 200 failed signature attempts."
So there you have it. I'm not going to pretend I fully understood everything I just read, but regardless you really can't be too careful which exchange/wallet you use. I tried that Bitforge checker Fireblocks put out, but there really isn't much on there (yet). As a matter of fact it as of yet even doesn't have Binance listed as 'secure', or maybe they are the 'anonymous' secure listing under the two visible ones. All three had the Lindel 17 protocol flaw and are now deemed 'secure'. A fourth exchange listed only as 'Abcxzy' has the GG18/20 protocol flaw and is still pending.
