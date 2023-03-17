The cryptography research team at blockchain infrastructure provider Fireblocks today released the details of a vulnerability in BitGo’s Ethereum wallets that use the firm’s Threshold Signature Scheme (TSS). BitGo users whose private keys were potentially exposed include exchanges, banks, and notable Web3 brands with hundreds of thousands of users between them. Fireblocks refused to disclose the names of specific brands affected, citing a non-disclosure agreement (NDA). Fireblocks was able to catch the vulnerability in early December, just over a month after the service was made public. After confirming the technical details of the vulnerability, BitGo suspended the service on December 10, releasing a patch update in February. The Palo Alto-based firm also required its clients to update to the latest version by March 17. Today’s announcement comes at the end of a “coordinated disclosure” process that the firm’s research team has followed with BitGo’s security team. According to Fireblocks, the vulnerability could have enabled an attacker to extract a full private key using a single signature and a few seconds of computation, bypassing all of BitGo’s security features.

