BLACK HAT USA — Las Vegas – Wednesday, Aug. 9 Vulnerabilities in protocols used by major cryptocurrency wallets could potentially allow an attacker to access an investor’s private key and steal all of their digital assets.
At Black Hat on Wednesday, researchers from Fireblocks described how financially motivated cyberattackers could exploit the Lindell17, GG18, and GG20 threshold signature schemes (TSS), used for signing off on blockchain transactions by services globally. These protocols are used by popular libraries and wallet providers, including Zengo, Coinbase’s wallet-as-a-service, and others.
Both Zengo and Coinbase have since mitigated the issue, and neither they nor the researchers have identified any attackers taking advantage of the TSS vulnerabilities.
The Vulnerability in Private Keys
The promise of cryptocurrency, from the very beginning, was autonomy. You, and you alone, control the storage and transfer of your own money. The most fundamental mechanism enabling this autonomy is the private key, a unique identifier associated with your online wallet. Like a password that can never be changed, one who controls the private key controls the wallet and all of its contents.
As Shahar Madar, Fireblocks’ head of security products, points out, “if you think about it, this is a very fragile thing in terms of security. Where do you keep the key?”
The risk of a single point of failure inspired the adoption of multiparty computation (MPC), where multiple parties are required to approve any given transaction. “Think about the biggest banks in the world using blockchain technology,” Madar says. “You want them to be confident in all the millions and billions of dollars they’re transacting. So MPC is the idea that in a functional transaction, you need a certain threshold of approval in order for the final signature to be valid.”
The vulnerabilities that Fireblocks identified enable an attacker to inject themselves into this picture and take control of those parties.
How It Works
To exploit these wallet signing protocols, an attacker first compromises a party to the signature — the wallet’s user, for example, or their provider. From there, they can send specially crafted messages that slowly leak bits of the user’s private key data.
For example, in the case of Lindell17, the messages can take advantage of how the protocol handles aborts, forcing it into “an ‘impossible choice’ between aborting operations, which is an unreasonable approach given funds might be locked in the wallet or to continue signing and sacrificing additional bits of the key with every signature,” the researchers explained in their technical report. With repeated malicious messages, more and more private key data is leaked until, eventually, all of it is in the attacker’s hands.
In the cases of GG18 and GG20, the researchers noted, an attacker need not necessarily compromise one of the parties to a transaction. And in the case of one MPC library, an attacker could extract the key data without any malicious messages at all, simply by recovering the private key during the process of generating a key pair.
That a system specially designed to maximize security can be so thoroughly exposed highlights the need for additional security layers. Within organizations handling digital assets, “obviously you need to have an internal crypto team, and they need to know what they’re doing,” Madar says. Beyond that, “everyone should take from this the importance of high-quality detection systems.”
“If an attacker is successful,” he added, “they can take all the other parties in MPC out of the game. But until then, they have to act within the rules of the game. And being an authorized party here gives you the advantage to detect and lead a response before that happens.”