The Fireblocks’ cryptography research team discovered a vulnerability in the self-managed Ethereum (ECDSA) wallet implementation of BitGo in December. The flaw, which could have led to secret shares like private keys theft, was later addressed by the digital asset trust company.
The bug bound in the smart contract of BitGo was so critical as if it gets exploited, could potentially compromise private key access of exchanges, banks, businesses, and users of the platform.
According to Fireblocks, the vulnerability was present in BitGo’s TSS (Threshold Signature Scheme) protocol. It said in a blog post, “Attackers can bypass all security measures, gain access, and steal all the funds from the wallet” by exploiting the bug.
The vulnerability called “Zero Proof” was found in the protocol’s SDK “BitGoJS”, which is used by their client to interact with the BitGo API through Java Script. Attackers could breach the code through very little effort and gain control of the private key.
Also Read: Euler Finance Witnesses Flash Loan Attack, Largest Hack of 2023
After tracking down the bug, the Fireblocks cryptography research team shared the details with BitGo on Dec 5, and so, BitGo took immediate action. The platform suspended the affected service on Dec 10, 2022.
BitGo filtered out the vulnerability by releasing a patch, which requires the client to update to the latest version by March 17.
Fireblocks also explained a technical overview of how one could exploit the vulnerabilities and drain funds held in a user’s wallet.
Although Fireblocks claimed that it had followed a “coordinated disclosure” process between its research team and BitGo’s security team, BitGo strongly refuted Fireblocks’ characterization of events.
BitGo published a blog post and accused Fireblocks of “turning a known gap into a publicity stunt,” and said, “This is not how coordinated disclosures are supposed to work.”