Fireblocks Discloses ‘Zero Day’ Vulnerabilities Impacting Leading MPC Wallets

It’s unlikely users were impacted by the vulnerabilities – collectively referred to as “BitForge” – but Fireblocks says they could’ve let hackers “drain funds from the wallets of millions of retail and institutional customers in seconds” if left unfixed.

AccessTimeIconAug 9, 2023 at 9:15 p.m. UTC
Updated Aug 9, 2023 at 9:21 p.m. UTC

Fireblocks, an enterprise-focused crypto infrastructure firm, has disclosed a set of vulnerabilities – collectively referred to as “BitForge” – impacting a variety of popular crypto wallets that use multi-party computation (MPC) technology.

The firm has classified BitForge as a “zero-day” – meaning the vulnerabilities hadn’t been discovered by developers of the affected software prior to disclosure from Fireblocks.

Coinbase, ZenGo, and Binance – three of the biggest companies impacted by BitForge – have already worked with Fireblocks to remediate their exposure to potential exploits, according to the firm. Fireblocks says it has worked to identify other teams that might be impacted and has reached out to them in accordance with the “industry-standard 90-day responsible disclosure process.”

Even though the particular vulnerabilities may have been patched in major wallets, the episode raises potentially alarming questions about just how safe these supposedly ultra-safe MPC wallets really are.

“If left unremediated, the exposures would allow attackers and malicious insiders to drain funds from the wallets of millions of retail and institutional customers in seconds, with no knowledge to the user or vendor,” Fireblocks said in a statement shared with CoinDesk.

While Fireblocks says that attacks exploiting the vulnerabilities would have been “practical,” the firm believes their complexity made them difficult to discover in advance of Wednesday’s disclosure. “The chances that someone – some malicious actor from, let's say, North Korea figured it out months before we figured it out and disclosed it to wallet providers – I would say that the likelihood of that is very, very, very low,” Fireblocks CEO Michael Shaulov told CoinDesk.

If MPC wallet users want to know whether they might be using a vulnerable wallet, Shaulov said they can reach out to Fireblocks or fill out a form that will be posted to its website.

Multi-party computation

In the context of crypto wallets, “MPC technology was primarily designed to make sure that that you don't have a single point of failure – a private key is not sitting on a single server or on a single device,” explained Shaurov.

Wallets that use MPC encrypt a user’s private key and split it across several different parties – typically some combination of a wallet user, a wallet provider, and a trusted third party. In theory, no single one of these entities can unlock the wallet without help from the others.

According to Fireblocks, the BitForge vulnerabilities would have “allowed a hacker to extract the full private key if they were able to compromise only one device,” undermining the whole “multi-party” aspect of MPC.

How it worked

Fireblocks outlined technical details of the BitForge vulnerabilities in a set of technical reports released on Wednesday.

Generally, for an attacker to take advantage of the BitForge vulnerabilities, they would need to compromise the device of a wallet user or break into the internal systems of someone else with a piece of the user’s encrypted private key – either the wallet service or one of those third-party custodians.

The steps from there would depend on the wallet. The BitForge vulnerabilities were present in several popular research papers that describe how to build MPC systems, and different wallet providers will have implemented this research differently.

Coinbase says its main user-facing wallet service, Coinbase Wallet, was not impacted by the bugs, whereas Coinbase Wallet-as-a-Service (WaaS) – which companies can use to power their own MPC wallets – was technically vulnerable before Coinbase implemented a fix.

According to Coinbase, the Fireblocks-discovered vulnerabilities would have been “nearly impossible to exploit” in its case – requiring a “malicious server inside Coinbase infrastructure” to trick users into “initiating hundreds of fully authenticated signing requests.”

“It is extremely unlikely that any customer would be willing to go through that tedious and manual process hundreds of times before contacting us for support,” Coinbase said.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.