Skip To Content
Menu

Welcome to the BitForge Status Checker

Multi-party computation remains the indisputable industry standard for wallet security. The Fireblocks cryptography team is at the forefront of security, staying ahead of potential threats and reporting them to the community to strengthen and advance security standards in the digital asset space.

Being aware of your vendor’s security status is crucial to ensuring your business runs efficiently without potential disruptions. That’s why Fireblocks works diligently to communicate potential vulnerabilities to the cryptography ecosystem.

The following vendors have confirmed the remediation of their MPC protocols.

  • Vendors MPC Protocol Deployed Status
  • Coinbase (WaaS)
    Lindell 17 Secure
  • Zengo
    Lindell 17 Secure
  • Anonymous
    Lindel 17 Secure
  • Abcxzy
    GG18/20 TSS Pending
Don’t see your vendor listed?

Contact us to determine if your MPC wallet vendor has been impacted.

Frequently asked questions

We have compiled a list of frequently asked questions that address the common queries related to vendors and vulnerabilities.

    • No, BitForge only impacts MPC wallet providers that utilize the GG-18, GG-20, and Lindell17 protocols.

      Even if your provider is using another MPC protocol, it is important to ensure they undergo regular code audits and have the cryptography resources to immediately patch security vulnerabilities.

    • The security and concept of MPC remains intact. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself. 

      When security flaws and vulnerabilities are found, every software and cryptographic protocol must be thoroughly audited and tested, and teams must have a plan in place to address security issues in a timely fashion. 

      The BitForge vulnerability does not reflect the security of MPC as a technology. The vulnerabilities identified are affecting specific implementations of MPC, and not the overarching concept itself. 

      MPC remains the leading security technology to protect private keys during generation, signing, and storage. This is because MPC removes the concept of a single private key; such a key is never gathered as a whole, neither during the first creation of the wallet nor during the actual signature.

      At Fireblocks, we understand that no security technology alone is unbreakable. As we’ve seen over the years, the best defense against cybercriminals is a multilayered one that can provide redundancy in the event that one of the security controls fails. That’s why Fireblocks utilizes a multi-layer security approach to protect all attack surfaces and provide redundancy in the event that one of the security controls fails. Layers of the strongest software and hardware defenses create a truly secure environment for storing, transferring, and issuing digital assets.

    • Not all MPC protocols and implementations are created equal. Proficiency in implementation and the ability to manage and resolve vulnerability issues to protect users vary widely, as does the security level of different MPC implementations. 

      It takes a team of cryptography experts to bring any cryptographic protocol from the academic research paper to production implementation. In the case of Lindell17, wallet providers deviated from the academic paper which created a backdoor for attackers to expose the private key when signing fails. For GG18 and GG20, there was a missing zero-knowledge proof in the academic paper that created a vulnerability in the implementation. 

      The BitForge vulnerability demonstrates that even though a wallet provider may use MPC, it is up to their cryptography and security experts to ensure proper implementation and constantly monitor for the latest attack vectors.

    • No, it is not recommended that you move to multi-sig. From a security standpoint, there’s no reason to switch to multi-sig as the weaknesses of multi-sig (not protocol agnostic, operationally inflexible) still stand.

      For more on the differences between multi-sig and MPC, read our blog post on the topic.

    • What makes an excellent cryptography team is its ability to understand, assess risk, and fix potential vulnerabilities promptly once identified. Cryptography teams should stay updated on the latest cryptography developments and evolving attack vectors impacting digital assets. When notified of a security vulnerability they should have an action plan to address the security challenges in a reasonable timeframe.

    • Some Fireblocks customers use more than one custody technology provider for a multitude of reasons, such as to meet a regulatory requirement to hold a portion of assets with a qualified custodian. It is our responsibility to assess the security of our customers’ systems, and that includes understanding areas in which they may be vulnerable, so that we may assist with risk mitigation to help fortify our customers’ security posture. 

      With security research at our core, Fireblocks constantly advances our security practices to protect customers from emerging attack vectors. Our research team sits at the center of the cryptography community, frequently collaborating with academic researchers and contributing to the latest developments in the space.

    • As far as we know, the vulnerabilities have not been exploited. However, if an attacker was stealing a private key, it would be impossible to know until they move funds to a new wallet.

      As part of the responsible disclosure process, Fireblocks provided the industry-standard 90-day notice to all identified providers before publishing the findings from the BitForge vulnerabilities.

    • The protocols implemented by Fireblocks – MPC-CMP and MPC-CMPGG – are not impacted by BitForge. They are not vulnerable as they utilize the required Zero Knowledge Proofs to validate all secret key material throughout the key generation, signing, and storage processes.

    • Aside from the strong formalization of our cryptography protocols, Fireblocks also operates on a Secure MPC Framework, which is a set of guidelines which ensures that we maintain a safe and secure platform for our customers. This includes: 

      • Using the latest peer-reviewed MPC algorithms
      • Securing your implementation of chosen algorithm
      • Getting security audits – 3rd party and internal
      • Setting up a public bug bounty program
      • Opening your implementation for the community to inspect
      • Detecting misuse and active exploitation of your MPC protocol

      In addition, we employ our multi-layer security system (read more on our white paper: Fireblocks’ Multi-layer Philosophy for Securing Digital Assets) to provide the strongest software and hardware defense available against evolving attack vectors.

    • In the blockchain industry, we’re all building towards the same goals. With some of the recent hacks, the positive takeaway was that if you’re in a community that is banded together toward a common goal, it makes a huge difference.

      It’s part of the DNA of the industry to work together to be stronger out of the public eye rather than calling companies out publicly and harming their credibility before giving them the chance to make any fixes.

      Instead, we recommend that users either check with their providers directly or utilize our BitForge Status Tracker to find out whether they are currently exposed to an impacted MPC implementation.

    • Fireblocks’ MPC implementations are open source under limited license (read more on our blog: Fireblocks’ MPC-CMP code is Open-Source), and have been audited by multiple top-tier firms, most recently by NCC Group.