Critical Security Issue in BitGo Wallet Resolved After Fireblocks Discovery

BitGo, the provider of institutional-grade, multi-coin cryptocurrency wallet, has fixed a security vulnerability that posed a risk to the private keys of both retail and institutional customers.

Fireblocks, a cryptography research team, discovered the critical security flaw in BitGo's wallet and notified the company in December 2022.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is Basic Attention Token (BAT)? Brave Browser EASILY Explained

SUBSCRIBE

ON YOUTUBE

The vulnerability was linked to BitGo Threshold Signature Scheme (TSS) wallets, which threatened to expose the private keys of exchanges, banks, and businesses operating on the platform.

In its report, Fireblocks revealed that vulnerability would allow malicious actors to bypass "all of BitGo security features."

The vulnerability allows an attacker to extract the full ECDSA private key from BitGo Ethereum TSS wallets using a single signature and a few seconds of computation, bypassing all of BitGo security features.

Dubbed the BitGo Zero Proof Vulnerability, the issue could have enabled potential malicious actors to extract a private key in less than a minute using a small JavaScript code.

As a response to the vulnerability, BitGo suspended the affected service on December 10th. In February 2023, BitGo fixed the issue and urged users to update their client-side software to the latest version by March 17th.

On top of that, Fireblockcs noted that the vulnerability can be exploited by malicious actors "with no prior secret material knowledge."

The attack is symmetric and can be executed by both parties in the interaction or by a middleman with no prior secret material knowledge, exposing the key material to many different internal and external attackers.

Fireblocks detailed their discovery process, which involved using a free BitGo account on the mainnet. The team found that BitGo's ECDSA TSS wallet protocol was missing an essential part of mandatory zero-knowledge proofs, allowing them to expose the private key through a simple attack.

Gile K., Market Sentiment Analyst

Gile is a Market Sentiment Analyst who understands what public events may form what emotions. Her experience researching Web3 news and public market messages – including cryptocurrency news reports, PRs, and social network streams – is critical to her role in helping lead the Crypto News Editorial Team.
As an intelligent professional in public relations, together with the team, she aims to determine real VS fake news patterns, and bring her findings to anyone searching for unbiased news and events happening in the FinTech markets. Her expertise is uncovering the latest trustworthy & informative Web3 announcements to the masses.
When she's not researching the trustworthiness of mainstream stories, she spends time enjoying her terrace view and taking meticulous care of her outdoor environment.

Full Bio

All Expert Contributors & Analysts