Post Mortem: Limited Signing Logic Issue Successfully Remediated

On April 2, 2025 our research team found a bug related to a limited-use configuration of our signing logic. A fix was deployed in our production environment within 12 hours of discovery, and a thorough technical and impact analysis was conducted. The small subset of Fireblocks clients that used the vulnerable functionality were notified and implemented all necessary updates. There is no known in-the-wild exploit of this issue and no funds were lost.

The Bug

The cryptographic issue was the result of a software bug, limited to some customer accounts in a small subset of blockchains. Our research team found similar issues on additional wallet providers; we have notified them as part of a responsible disclosure process.  Exploiting this signing logic for fund theft would have been highly complex, requiring specific cryptographic knowledge and familiarity with the Fireblocks environment.  

Actions Taken

To ensure continued security, we are taking the actions outlined below:

1. A comprehensive code audit, covering all relevant code areas and fixes, was conducted by Trail of Bits. 
2. An immediate, in-depth code review of all similar cryptographic code sections was performed by multiple Fireblocks cryptographic researchers and engineers.
3. Expanding our testing suite to include enhanced verification across all cryptographic algorithms. This also includes automated checks to detect any regressions.
4. Increasing evaluations of all implementations and major changes are increasing to be conducted by at least two leading security auditing companies specializing in cryptography and software implementation. Previously, we had a single external review for major changes.
5. Maintaining and enhancing Fireblocks Bug Bounty program actively, encouraging participation of the research community.

Our rigorous process for introducing new cryptographic algorithms has and continues to involve review by multiple top practical and theoretical experts, culminating in an academic publication for community peer review.

Scope and notification:

• We have notified all affected clients and worked with them on applying mitigations. All non-affected clients received an email to confirm that they are unaffected. 
• Neither Fireblocks Trust Company LLC nor Fireblocks LLC were impacted by the issues identified. 

Commitment to continually raising the bar on security

Fireblocks was designed and proven to secure trillions in digital asset transactions – meeting the growing demands of thousands of financial institutions. We are committed to continuous investment in cybersecurity and being ahead of our collective adversaries. Through this event, we adopted new validations and reinforced infrastructure – all raising the bar yet again on our ability to provide the most secure and scalable platform for our clients.