Binance’s CEO, Changpeng Zhao, has come forward to address concerns regarding the BitForge vulnerability. This security issue, as uncovered by the Fireblocks research team, has been identified in some of the most widely adopted multi-party computation (MPC) protocols, including the likes of GG-18, GG-20, and Lindell17.
Changpeng Zhao, in a reassuring statement, declared via Twitter today, “This issue was present in the Threshold Signature Scheme (TSS) Library Binance open-sourced, which has been fixed. Thanks to Fireblocks for uncovering it! No Binance user funds affected. Even MPC custody solutions have risks. Stay #SAFU!”
Diving Deeper Into The BitForge Findings
Fireblocks’ research unveiled that BitForge is a series of zero-day vulnerabilities that could potentially allow attackers with privileged access to drain funds from wallets without the knowledge of the user or vendor, often in mere seconds.
The vulnerabilities in the GG18 and GG20 protocols were particularly alarming. These protocols, widely adopted by MPC wallet providers, had a flaw due to a missing zero-knowledge proof, which could lead to the full exfiltration of the private key.
The GG-18 and GG-20 protocols had previously been updated in 2020 to patch a known vulnerability. However, these modifications inadvertently introduced another vulnerability. The severity of this flaw varies depending on the specific implementation of the GG protocols by different wallet providers. In some cases, attackers could extract keys in as few as 16 signatures, while in others, it could take up to a staggering 1 billion signatures.
The Lindell17 protocol vulnerability, on the other hand, is a result of deviations from the original academic paper’s specifications. This deviation can lead to mishandling failed signatures, creating a potential backdoor for attackers. An attacker could exploit the party finalizing the signing process, be it the wallet provider or the user, to exfiltrate the key after approximately 200 signature requests.
Binance And The Industry Respond
Fireblocks’ discovery has not only highlighted potential vulnerabilities but also underscored the importance of rigorous security checks and the need for continuous research in the crypto space. Binance’s swift acknowledgment and rectification of the issue in their open-sourced TSS Library exemplify the industry’s proactive stance towards potential threats.
While the crypto community remains vigilant, the transparency and promptness demonstrated by Binance and other affected wallet providers have been commendable. However, as Changpeng Zhao rightly emphasized, even the most trusted solutions can have vulnerabilities.
At press time, the Binance Coin (BNB) traded at $241.9, seeing a slight uptrend following the yearly low at $220 on June 12. However, to confirm a bullish reversal, BNB needs to break the resistance at $258.