Fireblocks reported vulnerability, now patched, in BitGo TSS wallets

Fireblocks, a digital asset security platform, discovered a critical vulnerability in BitGo’s Threshold Signature Scheme (TSS) wallets, putting the private keys of its users at risk of exposure to potential hacks.

BitGo utilizes TSS wallets to improve security by distributing partial private key information across multiple parties as one of its offerings.

BitGo, a cryptocurrency custody firm, promptly suspended the affected wallet service in December 2022 upon learning of the vulnerability, dubbed the «BitGo Zero Proof Vulnerability,» according to a media release from Fireblocks. The company then released a patch in February 2023 to address the flagged issue and informed clients to update their systems by March 17.

According to Fireblocks’ researchers, the vulnerability resulted from a missing implementation of mandatory zero-knowledge proofs in the TSS wallet protocol. This omission could potentially have made it possible for attackers to extract users’ private keys and gain access to their assets. Fireblocks did not say if there has been any loss of user assets because of the vulnerability.

«The vulnerability is a result of the wallet provider failing to follow a well-reviewed cryptographic standard,” said Idan Ofrat, co-founder and CTO at Fireblocks.

Fireblocks added it worked closely with BitGo to resolve the vulnerability and improve the security of its wallet services.

BitGo did not immediately respond to a request for comment.

Source