BitGo fixes critical flaw in Ethereum wallet software discovered by Fireblocks
Enterprise cryptocurrency wallet BitGo Inc. today patched a critical flaw that could have exposed users’ Ethereum private keys after researchers at the digital asset custody firm Fireblocks Inc. discovered the exploit.
Fireblocks named the attack the Zero Proof Vulnerability, since it took advantage of a missing security layer in the Elliptic Curve Digital Signature Algorithm TSS protocol that used zero-knowledge proofs. Without the addition of the zero-knowledge proofs, the use of TSS acts only as a communication conduit and attackers can bypass security layers altogether.
After notifying BitGo of the attack on Dec. 5, Fireblocks said that the affected service was taken offline by BitGo on Dec. 10. That was followed quickly by a patch in February, which would require all affected clients to update their wallet software by today.
Fireblocks says it maintained a fully “coordinated disclosure” with BitGo about the vulnerability, which is where cybersecurity researchers discover an exploit in code and work privately with a company and then wait for them to fully patch the code before revealing it publicly.
In response to the revelation, BitGo claimed that Fireblocks is “trying to drum up unnecessary fear” and “turning a known gap into a publicity stunt.”
The company stated that the particular wallet that was affected was in fact in early access, and currently remains in early access, and was accessible to only 20 developers, thus limiting the total damage that could have been done if it had been exploited.
BitGo went on to say that the Fireblocks disclosure contained a number of false claims, but did not mention what they were. However, Bitgo did stress that Fireblocks did not mention that the product was in early release. That’s a form of beta testing used to allow developers and engineers to shake down a new product to help discover and reveal flaws before general availability to the public.
“It is unusual for a firm to repeatedly contact reporters, regulators and clients about a known issue in a pre-release product, and we are surprised that Fireblocks decided to take that path after we informed them that this was early-release software,” BitGo said in a statement.
Fireblocks added that its products are all open source and its team stands by its open-source security processes and welcomes further scrutiny from the rest of the community.