BitForge: Strengthening Zengo’s security

Tl;dr: A recent discovery in the implementation of certain MPC wallets, including Binance, Coinbase, and Zengo was shared publicly by Fireblocks on Wednesday, August 9th. Our Zengo X research team collaborated with Fireblocks and promptly addressed the discovery. No Zengo users were impacted, and this case study highlights the strength and robustness of Zengo’s security framework. A thank you to Fireblocks for their responsible disclosure: This is exactly what proactive collaboration looks like.

The BitForge Issue

The Fireblocks team, through a series of creative cryptographic penetration testing of an MPC library we intentionally open-sourced, were able to find a way to slowly reveal an individual user’s private key. However, to do so requires direct access to the specific user’s device (this is non-systemic) via malware. Infecting an updated mobile device requires some 0-day vulnerability which is usually only associated with nation state actors. Please note that in this attack scenario a traditional seed phrase wallet would be immediately vulnerable.

While no user was impacted, the Fireblocks team was able to successfully demonstrate this theoretical discovery with their own systems. For detailed information see their full post here.

BitForge Highlights Zengo’s Robust Security Framework

Because no system is perfectly secure, it’s imperative to understand and embrace tradeoffs inherent to any practical implementation of cryptographic security.

  • Advanced MPC know-how: The specific issue identified by Fireblocks requires a series of advanced tools to implement, including deep practical MPC knowledge, attack knowledge, and malware on the specific device.
  • Open-Source Audits: This discovery also highlights the power of our open-source cryptographic library. We are committed to open-source where and when appropriate, manage a White Hat Bug Bounty program for those interested, and have conducted a series of 3rd-party audits to continue to strengthen our system.
  • Defense in Depth: Zengo implements multiple layers of security. While the wallet is based on MPC, this is only part of several security layers which include various anti-hacking and mobile security techniques.

Ultimately, our most important statistic speaks for itself: With nearly a million global customers, not one Zengo wallet has been stolen or drained since Zengo was founded in 2018. We are committed to responsible security stewardship and look forward to future collaborations to continue to make the industry more secure for all.

To learn more: