Fireblocks claims it detected vulnerability, now patched, in competitor BitGo's TSS wallets

Researchers at Fireblocks claim in a report they detected a critical vulnerability in BitGo's Threshold Signature Scheme (TSS) wallet type used for multi-party computation (MPC). BitGo and FireBlocks compete in providing custody and wallet services to institutional clients.

Fireblocks' report added BitGo took action in December 2022 after being notified of the vulnerability and released a patch to the issue in February.

According to Fireblocks' allegations, the said vulnerability resulted from a missing implementation of mandatory zero-knowledge proofs in the TSS wallet protocol. 

Fireblocks also claimed in its report that the vulnerability allowed them to extract the private key of a BitGo TSS wallet on the Ethereum mainnet. 

BitGo's response

BitGo has criticized Fireblocks' finding, calling it a "publicity stunt" that attempts to create fear and damage BitGo's reputation. It claimed that the wallet type in question was still in early access and had only been made available to 20 developers. BitGo added it was pursuing legal remedies against Fireblocks.

"None of our clients were using this type of wallet to store their assets. Because the wallet was in an early-access phase, it’s only available to 20 developers who are fully aware of the risks of using it, and several of those 20 developers are BitGo employees and contributors," a BitGo spokesperson said.

According to the team, the security issue had already been documented in their open-source code on GitHub and was publicly known before Fireblocks had flagged it.