Binance’s CEO, Changpeng Zhao (CZ), has stepped up to confront concerns surrounding the BitForge vulnerability, a critical security issue unveiled by the Fireblocks research team. This vulnerability has surfaced in some of the most widely embraced multi-party computation (MPC) protocols, including GG-18, GG-20, and Lindell17. In a reassuring Twitter statement, CZ affirmed,
“This issue was present in the Threshold Signature Scheme (TSS) Library Binance open-sourced, which has been fixed. Thanks to Fireblocks for uncovering it! No Binance user funds were affected. Even MPC custody solutions have risks. Stay #SAFU!”
Binance’s Rapid Action
Fireblocks’ research revealed that BitForge encompasses a series of zero-day vulnerabilities that could enable privileged attackers to siphon funds from wallets without users or vendors detecting the breach—often within seconds.
Notably, the vulnerabilities within the GG18 and GG20 protocols raised significant alarms. These protocols, widely embraced by MPC wallet providers, exhibited a flaw due to the absence of a zero-knowledge proof, potentially leading to the complete extraction of private keys.
In 2020, the GG-18 and GG-20 protocols were previously updated to address a known vulnerability. However, these modifications inadvertently introduced another vulnerability. The gravity of this flaw varies according to the specific implementation of the GG protocols by different wallet providers. Attackers could extract keys with as few as 16 signatures in some cases, while in others, it could require an astonishing 1 billion signatures.
Contrastingly, the Lindell17 protocol vulnerability stemmed from deviations from the original academic paper’s specifications. This divergence could lead to mishandling failed signatures, potentially creating a backdoor for attackers and exploiting the party finalizing the signing process, whether the wallet provider or user, could allow attackers to exfiltrate the key after approximately 200 signature requests.
Fireblocks’ revelation exposed potential vulnerabilities and emphasized the significance of rigorous security assessments and continuous research in the cryptocurrency sphere. Binance’s prompt acknowledgment and resolution of the issue in its open-sourced TSS Library epitomize the industry’s proactive stance against potential threats.
As the crypto community maintains vigilance, Binance and other affected wallet providers’ transparency and swift responses have garnered praise. However, CZ rightly pointed out that even the most trusted solutions can harbor vulnerabilities.
Related Reading: | Regulatory Woes: Binance Misses SEC Deadline & Faces Opposition In Nigeria