Update (March 22 07:00 UTC): This article has been updated to include factual corrections highlighted by BitGo.
Cryptocurrency wallet BitGo has successfully patched a vulnerability relating to its recently released Ethereum and ERC-20 Threshold Signature Scheme (TSS) wallets.
The release of the ETH TSS hot wallets was announced on Oct. 31 2022 and was touted to enable lower gas fees for users. BitGo developer notes on Github committed on Dec. 9 2022 noted that the service did not have full support for third party verification of key shares and signature shares.
Blockchain infrastructure company Fireblocks claimed to have identified and notified BitGo of the vulnerability in December 2022. A press release alleged that the vulnerability had the potential of exposing private keys of exchanges, banks, businesses and users of the platform.
BitGo has since refuted these claims in a blog post, highlighting the fact that its own development team had noted the lack of third party verification was on its to-do list as per GitHub documentation. The wallet service provider also maintains that user funds or private keys were never at risk of being compromised or disclosed through the vulnerability.
Related: Euler Finance hacked for over $195M in a flash loan attack
Cointelegraph understands that BitGo clients were not actively using the MPC wallet type in question to store cryptocurrency assets. 20 developers currently have access to the wallet in early access including BitGo employees and contributors, while the open source nature of BitGo’s core wallet code allowed Fireblock’s engineers to carry out testing as well.
Having disclosed the lack of third-party verification of key and signature shares last year, BitGo’s blog post branded Fireblock’s as a ‘competitor’ that attempted to turn a ‘known gap into a publicity stunt.’
The initial press release from the Fireblocks team unpacked how it identified the exploit using a free BitGo account on mainnet. A missing part of mandatory zero-knowledge proofs in BitGo’s ECDSA TSS wallet protocol allowed the team to expose the private key through a simple attack.
Fireblocks claim that the vulnerability would allow potential attackers to quickly extract a private key using a small amount of JavaScript code. BitGo suspended the vulnerable service on Dec. 10 and released a patch in February 2023 that required client-side updates to the latest version by March 17.
Industry standard enterprise-grade cryptocurrency asset platforms make use of either multi-party-computation (MPC/TSS) or multi-signature technology to remove the possibility of a single point of attack. This is done by distributing a private key between multiple parties, to ensure security controls if one party is compromised.
Hacks of wallets have been commonplace across the cryptocurrency industry in recent years. In August 2022, over $8 million was drained from over 7,000 Solana-based Slope wallets. Algorand network wallet service MyAlgo was also targeted by a wallet hack that saw over $9 million drained from various high-profile wallets.