Crypto wallet BitGo recently patched up its TSS protocols after observing certain vulnerabilities. Bitgo had recently released Ethereum and ERC-20 Threshold Signature Scheme (TSS) wallets, that were infected by critical bugs.
The bug bound in the smart contract of BitGo was so critical that if exploited, it could potentially compromise the private key access of exchanges, banks, businesses, and users of the platform.
According to Fireblocks, the vulnerability was present in BitGo’s TSS (Threshold Signature Scheme) protocol. It said in a blog post, “Attackers can bypass all security measures, gain access, and steal all the funds from the wallet” by exploiting the bug.
The vulnerability, called “Zero Proof” was found in the protocol’s SDK “BitGoJS”, which is used by their client to interact with the BitGo API through Java Script. Attackers could breach the code with very little effort and gain control of the private key.
After tracking down the bug, the Fireblocks cryptography research team shared the details with BitGo on Dec 5, and so BitGo took immediate action. The platform suspended the affected service on Dec 10, 2022.
The Fireblocks’ cryptography research team claimed to have discovered the vulnerability in the self-managed Ethereum (ECDSA) wallet implementation of BitGo in December. The flaw, which could have led to secret shares like private keys theft, was later addressed by the digital asset trust company.
However, BitGo denied the assertion that Fireblock was the initial entity to discover a vulnerability. The flaw had already been identified and recorded on BitGo’s open-source code, available on GitHub. Typically, software developers release early versions of their open-source code to gather feedback and pinpoint defects, and BitGo followed the same approach.
Additionally, all impacted wallets were owned by 20 BitGo-affiliated developers who were testing the wallets during the early stages before their complete deployment. No assets or private keys belonging to any clients were compromised, as they were not authorized to use wallets during this early stage.
BitGo asserts to have filtered out the vulnerability by releasing a patch in February, and has nothing to do with “Fireblocks’s unethical disclosure process”, stated in a personal conversation with Crypto Times.
Fireblocks also explained a technical overview of how one could exploit the vulnerabilities and drain funds held in a user’s wallet.
Although Fireblocks claimed that it had followed a “coordinated disclosure” process between its research team and BitGo’s security team, BitGo strongly refuted Fireblocks’ characterization of events.
BitGo published a blog post and accused Fireblocks of “turning a known gap into a publicity stunt,” and said, “This is not how coordinated disclosures are supposed to work.”
Also Read: Euler Finance Witnesses Flash Loan Attack, Largest Hack of 2023
