The Fireblocks research team has identified a fundamental issue with the GG18 and GG20 protocols, showing that some information related to the private key can be leaked. The problem exists even under the strict implementations of the GG protocols, and mitigating it requires adapting an MPC-CMP-like security model.
Another research team led by Omer Shlomovits has conducted similar research. The practical exploitation of the GG18 vulnerability came from Omer’s team.
Omer’s team was recently able to show a key extraction attack under certain implementations of GG18 (Gennaro and Goldfeder). In this vulnerability, one of the MPC parties can perform an attack and force the other parties to disclose their shares, thus gathering the private key. This vulnerability is related to a missing implementation of one of the zero-knowledge range-proofs.
While specific exploitation techniques of these issues are yet to be shown and are pending further research, we’re now urging all digital asset and cryptocurrency practitioners to adopt MPC-CMP technology, the most advanced and secure version of MPC available for ECDSA signing.
Customers using MPC-CMP are not exposed, and any legacy MPC wallets have been patched. Customers can rest assured that funds remain as secure as ever with Fireblocks.
MPC vulnerability discovery
Since the release of MPC-CMP over a year and a half ago, our research team has conducted active research to explore if older variants of ECDSA MPC wallets introduce vulnerabilities due to their non-UC (Universally Composable) security promise. The study was also motivated to reduce the number of communication rounds and allow support for offline signing (this research eventually resulted in the launch of MPC-CMP).
During this research, we noticed that the security analysis of GG18 (an early and still popular algorithm used by blockchains and institutions to implement MPC) had some issues due to missing zero-knowledge range-proofs in the protocol.
Unlike GG18, MPC-CMP uses the necessary zero-knowledge proofs (while also empowering 800% faster transaction signing rounds and offline/cold wallet signing) and is not affected by this vulnerability.
While the GG18 vulnerability discovery was significant, our research team had not yet proven it was exploitable. Thousands of new vulnerabilities are discovered every month, but not all are made practical. Once a vulnerability is made practical it is much more likely for a hacker to design an attack and exploit the vulnerability.
Patching the MPC vulnerability
Fireblocks patched Omer’s vulnerability within 96 hours from being notified, ensuring all of our customers’ funds are secure and not affected. We have also confirmed there is no evidence of any past attempt to exploit this vulnerability.
Following responsible disclosure guidelines, all vendors and researchers utilizing MPC were notified of the discovery and given a chance to patch the known MPC vulnerability before any practical exploitation was published.
As such, the industry has generally patched the vulnerability in the last couple of months.
Universally Composable Security & MPC-CMP adoption
MPC-CMP employs a concept called universally composable (UC) security. With UC security, the protocol cannot be exploited:
- Even if it is executed many times in parallel
- In complex environments (even after multiple execution failures)
All signing executions as a whole remain secure and do not leak secret data.
On the other hand, when an adversary attacks an instance of the GG18 protocol – which lacks the necessary zero-knowledge proofs – there can be substantial leakage of secret data. In fact, this attack can be performed by an active attacker controlling a single party of the MPC quorum.
As one of the originators in the application of MPC technology for private key security and the first to securely store and transfer trillions of dollars in digital assets using MPC, Fireblocks is a strong advocate of the operational utility and security durability of this technology.
Today, we encourage the community to move to MPC-CMP, the most advanced and secure version of MPC available for ECDSA signing. MPC-CMP is readily accessible as an open-source and peer-reviewed algorithm.
Does this impact all MPC providers?
This vulnerability impacts anyone using GG18 and GG20 and potentially other algorithms that have not implemented MPC-CMP.
Are my Fireblocks wallet or private keys affected by this vulnerability?
No, we did not find evidence of any exploitation attempt in any of our users’ wallets. We have patched legacy MPC wallets and are completing the migration of these legacy wallets to MPC-CMP.
Is MPC still safe?
Yes, vulnerability discoveries occur in all technologies, including established cryptography libraries and Hardware Security Modules (HSMs). Patch speed, in addition to multi-layer security, are both effective strategies to minimize exposure and impact to new exploits.