The CurveBall vulnerability and ZenGo

TL;DR Your funds in ZenGo wallet are safe

In ZenGo we are always on the guard for news on security and cryptography, in order to protect our customers in the best possible way. Therefore when we learned last week that the NSA warns about a new cryptography related vulnerability, we knew we must dig in. We analyzed this vulnerability and shared our findings with the community via a blog post on the matter. This post became so popular, that we got to name this vulnerability (CVE-2020–0601) as “CurveBall”.

What are the implications on cryptocurrency

The vulnerability allows attackers to trick unpatched Windows 10 users into visiting fake sites and installing fake programs and updates.

Blockchains: no implications. The vulnerability is related to Elliptic Curve Cryptography (ECC) that is used in many of the popular blockchains, such as Bitcoin and Ethereum, but the problem is relevant to the Windows implementation of certificate validation, not in the cryptography itself.

ZenGo: no implications. We distribute our wallet for mobile platform only, and our production environment is not based on Windows.

Windows 10 desktop and web wallets: such wallets are probably vulnerable to the installation of fake updates and masquerading websites that may lead to the stealing of the private key and/or funds. Such attacks happened in the past and attackers are likely to abuse this vulnerability as there already publicly available tools to do so. Therefore, we recommend Windows10 users to patch their systems using the Windows Update as soon as possible. To check if your device is vulnerable, you can use the CurveBall test page.

CurveBall test page: Sometimes negative results are good!