Crypto Wallet BitGo Fixes Serious Flaw That Could Expose Users Private Keys

• BitGo Zero Proof Vulnerability is what the Fireblocks team has dubbed the flaw.
• The Fireblocks team detailed its discovery of the flaw using a free BitGo mainnet account.

BitGo, a popular cryptocurrency wallet, has fixed a serious flaw that could have exposed the private keys of its retail and institutional users.

In December 2022, the Fireblocks cryptography research team discovered the vulnerability and informed BitGo of it. BitGo Threshold Signature Scheme (TSS) wallets were susceptible to the flaw, which could have compromised the private keys of the platform’s users, exchanges, banks, and businesses.

Upgrade to Recent Version

BitGo Zero Proof Vulnerability is what the Fireblocks team has dubbed the flaw that could allow an attacker to steal a user’s private key in under a minute with just a few lines of JavaScript code. After discovering the security flaw on December 10, BitGo immediately disabled the service and issued a patch in February 2023, mandating that all clients upgrade to the most recent version by March 17.

The Fireblocks team detailed its discovery of the flaw using a free BitGo mainnet account. The BitGo ECDSA TSS wallet protocol had a flaw that made it vulnerable to a trivial attack because it lacked a required zero-knowledge proof.

Fireblocks demonstrated that there are two ways in which an attacker, whether internal or external, can obtain a complete private key.

Anyone with access to the client side can initiate a transaction to steal a piece of the private key stored in BitGo’s system. Following the signing computation, BitGo would leak the BitGo key shard by disclosing sensitive information.

Nonetheless, Fireblocks advised users to consider opening new wallets and transferring funds from ECDSA BitGo wallets before the fix is released, even though no attacks have been carried out using the reported vulnerability.