Multiparty computation could offer increased protection for crypto wallets

January 11, 2023 Coin Telegraph

Multiparty computation can help users to protect their private keys and seed phrases when used in wallets.

Multiparty computation (MPC) is a type of cryptographic protocol that allows multiple parties to jointly compute a function over their inputs without revealing those inputs to each other.

MPC can be useful when parties want to compute some function together but want to keep their inputs private from others. For example, a group of banks may want to determine the total amount of money in their joint account without revealing their account balances to each other.

In MPC, each party has a secret input that they keep to themselves. The process is done by carefully encrypting the inputs and performing the computation on the encrypted values so that the final result is the desired function, all while keeping the values secure.

MPC protocols typically involve multiple rounds of communication between parties exchanging encrypted messages and performing various computations on their own inputs.

MPC is a complex and technical topic, and there are many variations and approaches to implementing MPC protocols. Some key challenges in designing MPC protocols include ensuring that the protocol is secure against various attacks, such as malicious parties trying to learn other parties’ inputs, and ensuring that the protocol is efficient with regard to computational resources and communication costs.

What is a multiparty computation crypto wallet?

A multiparty computation crypto wallet is a crypto wallet that uses MPC technology to manage and store users’ assets securely. In an MPC crypto wallet, the private keys used to access and manage the users’ cryptocurrency are split into multiple parts, known as “shares,” which are distributed among the parties involved in the MPC protocol.

The key advantage of using MPC in a crypto wallet is that it allows the users to securely manage their cryptocurrency without any single party having access to the entire private key. This can help protect against various attacks, such as hackers attempting to steal users’ cryptocurrency by compromising a single party’s private key share.

Recent: Remote work could redefine the global workforce for good

MPC crypto wallets typically use a combination of cryptography and secure communication protocols to enable different parties to jointly manage users’ cryptocurrency. The process can involve complex calculations and communication between the parties, but the result is a secure and efficient way to manage users’ cryptocurrency assets.

Crypto wallets like ZenGo use multiparty computation to improve wallet security, and Coinbase has the feature enabled for their noncustodial wallet. As a result, MPC crypto wallets can provide increased security and protection against certain attacks. Still, they also require more computational resources than other crypto wallets.

Benefits and drawbacks of multiparty computation crypto wallets

The main advantage of an MPC crypto wallet is that it can provide increased security for users’ cryptocurrency assets by splitting the private keys used to access and manage the cryptocurrency into multiple parts and distributing those parts among different parties.

Tal Be’ery, co-founder and chief technology officer at crypto wallet ZenGo, told Cointelegraph, “MPC solves cryptocurrency’s most pressing problem: The single point of failure (SPOF) of the private key. This SPOF is the main reason users lose their funds: Whether by misplacing their private key, having their private key stolen, or accidentally sharing their seed phrase through a phishing scam.” He continued:

“With MPC, the indivisible private key is replaced by multiple distributed secrets often called ‘shares,’ such that a quorum of these shares can distributively sign a message — without creating a private key.”

Be’ery mentioned how separating the pieces of the private key and storing them in different locations makes it more difficult for malicious actors to compromise a user’s wallet.

“If each of these shares is held in an orthogonal place (e.g., mobile device and a server), then it makes it orders of magnitude more complicated for hackers to steal, as the attacker would need to steal from multiple independent places in different ways,” Be’ery said.

“This type of architecture also solves the dilemma discussed above: Creating copies of shares as a backup against loss is much easier, as no one share represents the ‘the and only’ private key,” he added.

Parth Choudhary, founder and CEO of Glip — a Web3 gaming and wallet application — also told Cointelegraph, “MPC could make it so that a wallet provider can’t get to a user’s money or control it. It may also make it harder for hackers and other bad people to steal private keys.”

MPC cryptocurrency wallets have some advantages over traditional wallets. MPC wallets are more reliable since they can ensure that a user’s assets are still accessible, even if one or more parties become unavailable or unresponsive. Privacy is also improved because the private keys are split into multiple shares and distributed among different parties.

By preventing any single party from discovering the user’s complete private key, the user has a reduced chance of losing their funds. Security is also improved since the computations are carried out on encrypted outputs, preventing malicious parties from learning sensitive information.

However, there are also some potential disadvantages to using an MPC crypto wallet. One of these disadvantages is the complexity associated with MPC protocols, especially for non-experts in cryptography. So, an MPC wallet can be more challenging to set up for the average person.

Recent: Crypto layoffs mount as exchanges continue to be ravaged by the prevailing bear market

Additionally, due to the computational resources needed by MPC protocols, they may be slower to operate. In this regard, an MPC wallet may be less efficient than other crypto wallets. Finally, not all cryptocurrency assets can be managed using an MPC crypto wallet, and some assets may be difficult or impractical to manage using MPC.

Wallet security has always been important for anybody who uses cryptocurrency, and the need for self-custody has become all the more apparent with the collapse of several high profile cryptocurrency firms and the loss of millions in user funds.

The decision to use an MPC crypto wallet will depend on the specific needs and requirements of the user. For example, it may be useful for users who prioritize security and privacy, but some people may prefer a more simple solution.

The Easy Company secures $14.2M funding for new crypto wallet with social features

January 10, 2023 Coin Telegraph

The Easy Company secures .2M funding for new crypto wallet with social features

Coin Telegraph

The company says it wants to make it easier for users to engage with Web3 and use digital wallets.

The Easy Company, a startup focusing on building a consumer layer for the decentralized web, has raised $14.2 million in a seed round for its “social” crypto wallet, which seeks to help onboard more mainstream audiences into the Web3 ecosystem.

As reported by TechCrunch, the seed funding round was supported by a diverse group of investors, including venture capital firms Lobby Capital, Relay Ventures and 6th Man Ventures, as well as Tapestry, Upside and Scribble. Additionally, the round featured angel investors with backgrounds in traditional social media and Web3, including former executives from Instagram, Novi, Airbnb, Twitter, Uber, OpenTable and Eventbrite.

8/ Easy is backed by Lobby Capital, Relay Ventures, 6th Man Ventures, Tapestry VC, Upside Partnership, Scribble Ventures and other experienced social and web3 Investors.
— The Easy Company (@TheEasyCoHQ) January 10, 2023

The wallet is said to be available to the public on iOS and Android after completing a 30-day private testing phase. According to Easy’s CEO, Mike Dougherty, the company aims to combine user-curated profiles with engaging social features so that people can search, navigate and discover the world of Web3 on their own.

A lot of Web3 products and services today are too technical for the everyday person to use, Dougherty shared. The company aims to make it easier for users to engage with Web3 and use digital wallets. The platform reportedly has a similar layout to social media apps like Instagram, where users can swipe to view both their own NFTs or those of people they “watch,” like Instagram Stories.

Despite a long crypto winter, Web3 projects continue to receive substantial funding from Venture Capitalists. In 2022, billions of dollars poured into various projects in the ecosystem, including blockchain-based startups.

In the first two quarters of 2022, Venture Capital inflows were over $14 billion, and even though it receded to just under $5 billion in the third quarter, that was still a substantial amount given the negative impact of the sudden collapse of several prominent players in the industry, such as Celsius, Three Arrows Capital, BlockFi and FTX. Venture capitalist funding for the 2023 remains yet to be seen.

On Jan. 4, Cointelegraph reported that Singapore-based cryptocurrency exchange MEXC plans to invest $20 million to support the growth and development of Sei Network, a layer-1 blockchain platform that is specifically tailored for trading.

How to keep your crypto safe in 2023: a few tips from an analyst

January 9, 2023 Coin Telegraph

Bitcoin Wallet

Lead on-chain analyst at Glassnode, James Check, explains why taking self-custody of your private keys has become more important than ever and how to do it in a few simple steps.

There is no excuse for not putting a few hours of research into how to properly custody your crypto, according to lead on-chain analyst James Check. Joining the latest debate around self-custody, the analyst pushed back against the notion that managing private keys is too complicated and risky for the average crypto user.

“If you have gold in your vault, if you have cash in your wallet, it's the same concept: you need to exercise a level of responsibility,” said Check in our latest Cointelegraph interview.

Check argued that, while third-party custody and semi-custodial solutions such as collaborative custody may appear more user-friendly for the average user, they also have their own, even bigger, vectors of risks.

To the analyst, when it comes to custody "there are no solutions, only trade-offs." His position is that being in full control of your own crypto and eliminating the third-party risk is well worth the effort of learning how to keep your wallet's 12 word seed phrase safe.

Ultimately, Check pointed out that the amount of time and effort someone should put into learning self-custody should be scaled proportionally to the size of thei holdings.

“If you're not willing to put more than 5 minutes into it, then don't put more than $5 into it. If you're willing to do 100 hours now, you can start talking about doing your significant sums of savings,” he said.

To find out more about Check's approach to self-custody, check out the full interview on our YouTube channel and subscribe!

MetaMask removes Wyre from aggregators amid shutdown reports

January 6, 2023 Coin Telegraph

Coin Telegraph

Wyre was set to be acquired for $1.5 billion by San Francisco e-commerce startup Bolt last year, but the deal was eventually scrapped.

Crypto wallet MetaMask is ending support for services of Wyre crypto payment platform amid reports of Wyre planning to shut down operations soon.

MetaMask took to Twitter on Jan. 5 to announce that it has removed Wyre from its mobile aggregator, which allows users to buy crypto directly through its digital wallet.

“We're currently working on extension removal and appreciate your patience,” MetaMask said, asking users not to use Wyre on the mobile aggregator.

According to the announcement, MetaMask still supports a wide number of other payment gateways, including Transak, MoonPay, and Sardine. The services are available on Apple Pay, bank cards and transfers, MetaMask noted.

The news comes soon after Wyre CEO Ioannis Giannaros reportedly announced to employees that the firm is going to soon shutdown operations.

“We'll continue to do everything we can, but I want everyone to brace themselves for the fact that we will need to unwind the business over the next couple of weeks,” Giannaros reportedly stated.

MetaMask did not immediately respond to Cointelegraph’s request to comment. Wyre did not respond to several press inquiries from Cointelegraph.

Founded in 2013 in San Francisco, Wyre is a major crypto payment firm that came close to being acquired for $1.5 billion last year. In April 2022, the United States e-commerce startup Bolt agreed to acquire Wyre. Amid the massive crypto bear market of 2022, Bolt eventually opted to scrap the deal in September.

MyEtherWallet CEO talks about the future of crypto self-custody

January 5, 2023 Coin Telegraph

Coin Telegraph

Tune in to the third episode of Hashing It Out as Cointelegraph's Elisha Owusu Akyaw discusses the future of noncustodial cryptocurrency wallets with Kosala Hemachandra, CEO of MyEtherWallet.

In the third episode of Hashing It Out podcast series, Cointelegraph’s Elisha Owusu Akyaw discusses the future of noncustodial cryptocurrency wallets with Kosala Hemachandra, CEO of MyEtherWallet.

Recent issues with centralized platforms have put the spotlight on decentralized applications (DApps), and self-custody — where users keep their funds completely under their responsibility — has become a major trend.

MyEtherWallet is one of the oldest noncustodial wallets with a focus on the Ethereum blockchain. According to Kosala Hemachandra, the wallet went live just two weeks after the Ethereum mainnet launch. The CEO of MyEtherWallet explains that they chose to make a decentralized wallet because they believed it was the only proper way to interact with blockchain technology.

“Blockchain, at its core, is a decentralized solution, so why would we create products that are centralized? Because we are defeating the whole purpose of using blockchain."

Hemachandra explains that MyEtherWallet started as a hobby project, which became more demanding since there were no examples to look at during its development. The developer had to write new Ethereum libraries in javascript.

The need to build a foundation of codebases that could accelerate growth in the Ethereum landscape was the reason why the team opted to make the code open source. What’s more, the open-source nature of the code allows the platform to have more eyes on its codebase to prevent potential vulnerabilities.

Despite growing competition, MyEtherWallet has over 3 million monthly users who are mainly from the United States and Japan. To catch up with the likes of MetaMask, the decentralized wallet is adding support for more blockchain networks and recently launched a multichain browser extension. Hemachandra also pointed out that the first two weeks after the FTX saga brought in many new users looking for decentralized alternatives to store their crypto.

On trends in the industry, Hemachandra mentioned that MyEtherWallet has yet to make plans to do an airdrop for its users despite many rumors that some of its competitors may launch their own tokens soon. According to the CEO of MyEtherWallet, they don’t see any use cases for tokens released by wallet applications at the moment.

In the episode, Elisha and Hemachandra also cover:

New features for decentralized wallets.
The Ethereum ecosystem and the popularity of layer-2 platforms.
A multichain future in the blockchain ecosystem.

Hashing It Out is a new Cointelegraph podcast series covering innovations and important stories in the blockchain industry, featuring interviews with thought leaders in the space hosted by Elisha Owusu Akyaw (GhCryptoGuy).

For more discussion with Kosala Hemachandra, listen to the full episode of Hashing It Out on the new Cointelegraph Podcasts page or Spotify, Apple Podcasts, Google Podcasts or Amazon Music.

Ancient Bitcoin Block Rewards See Decrease in Spending After Record Activity in 2020 and 2021

January 2, 2023 Bitcoin.com

Bitcoin core developer claims to have lost 200+ BTC in hack

January 2, 2023 Coin Telegraph

Bitcoin

A Bitcoin OG and core developer Luke Dashjr claims his PGP key was compromised, resulting in virtually all his Bitcoin being stolen from him on Dec. 31.

One of the original core developers behind Bitcoin (BTC), Luke Dashjr, claims to have lost “basically” all his BTC as a result of a hack that occurred just before the new year.

In a Jan. 1 post on Twitter, the developer said the alleged hackers had somehow gained access to his PGP (Pretty Good Privacy) key, a common security method that uses two keys to gain access to encrypted information.

In the thread, he shared a wallet address where some of the stolen BTC had been sent but did not reveal how much of his BTC was stolen in total.

PSA: My PGP key is compromised, and at least many of my bitcoins stolen. I have no idea how. Help please. #Bitcoin
— @LukeDashjr@BitcoinHackers.org on Mastodon (@LukeDashjr) January 1, 2023

At the time of writing the wallet address in question shows four transactions between 2:08 and 2:16 pm UTC on Dec. 31, totalling 216.93 BTC — worth $3.6 million at current prices.

Dashjr said he had “no idea how” the attackers gained access to his key, though some in the community have pointed to a possible connection with an earlier Twitter post from Dashjr on Nov. 17 that noted that his server had been compromised by “new malware/backdoors on the system.”

PSA: My server was accessed this morning by an unknown person. Full analysis in progress, but take extra care that you PGP-verified any downloads. #Bitcoin
— @LukeDashjr@BitcoinHackers.org on Mastodon (@LukeDashjr) November 17, 2022

Dashjr told a user in his most recent Twitter thread that he had only noticed the recent hack after getting emails from Coinbase and Kraken about login attempts.

The incident has also caught the attention of Binance CEO Changpeng “CZ” Zhao, who offered condolences and support in a Jan. 1 post.

“Sorry to see you lose so much. Informed our security team to monitor. If it comes our way, we will freeze it. If there is anything else we can help with, please let us know. We deal with these often, and have Law Enforcement (LE) relationships worldwide," he wrote.

Some in the crypto community have speculated that lax security might be to blame for the loss.

In a Jan. 1 Reddit thread, a user calling themselves SatStandard suggested that Dashjr may not have taken the Nov. 17 security breach “seriously enough” and later suggested that the Bitcoin developer “did not keep different activities separated.”

“He had hot wallet on the same computer he did everything else. It looks like he was really complacent.”

Meanwhile, a few others appear to suggest it may not have been a hack at all, suggesting that someone had stumbled across the seed phrase somehow, or it was part of an unfortunate “boating accident” ahead of tax season.

A boating accident in this context is in reference to a running joke and meme originally used by gun enthusiasts, but since repurposed by the crypto community about people trying to avoid paying taxes by claiming they lost all their BTC in a “tragic boating accident.”

Top tier boating accident.
— Nate (@beeforbacon1) January 1, 2023

Cointelegraph reached out to Dashjr over Twitter for more information about the alleged hack but did not hear back by the time of publication.

The news has also ignited a debate around self-custody, which became a hot topic after the collapse of FTX last year.

Binance’s Zhao, who previously cautioned the crypto community about self-custody, said: “Sad to see even an OG #Bitcoin Core Developer lost 200+ BTC ($3.5 million). Self custody [has] a different set of risks.”

Online social media BTC influencer Udi Wertheimer also took the time to question whether self-custody was a viable and safe option, commenting that one “shouldn’t manage your own keys.”

“If even one of Bitcoin’s OG developers messes this up, I really don’t know how other people are expected to do it safely.”

“That’s not to say self custody is bad. But you shouldn’t manage keys directly,” he said.

BitKeep exploiter used phishing sites to lure in users: Report

December 26, 2022 Coin Telegraph

Coin Telegraph

The attacker appears to be attempting to cash out funds using Binance and Changenow.

The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink.

The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker.

【12-26 #BitKeep Hack Event Summary】
1/n

According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker addresses and total Txns volume reached $31M.
— OKLink (@OKLink) December 26, 2022

The report did not say how the malicious file stole the users’ keys in an unencrypted form. However, it may have simply asked the users to re-enter their seed words as part of the “update,” which the software could have logged and sent to the attacker.

Once the attacker had users’ private keys, they unstaked all assets and drained them into five wallets under the attacker’s control. From there, they tried to cash out some of the funds using centralised exchanges: 2 ETH and 100 USDC were sent to Binance, and 21 ETH were sent to Changenow.

The attack happened across five different networks: BNB Chain, Tron, Ethereum, and Polygon, and BNB Chain bridges Biswap, Nomiswap, and Apeswap were used to bridge some of the tokens to Ethereum. In total, over $13 million worth of crypto was taken in the attack.

It is not yet clear how the attacker convinced users to visit the fake websites. The official website for BitKeep provided a link that sent users to the official Google Play Store page for the app, but it does not carry an APK file of the app at all.

The BitKeep attack was first reported by Peck Shield at 7:30 a.m. UTC. At the time, it was blamed on an “APK version hack.” This new report from OKLink suggests that the hacked APK came from malicious sites, and that the developer’s official website has not been breached.

Ukrainian Steals Bitcoin From Russian Darknet Market, Donates to Charity

December 26, 2022 Bitcoin.com

LastPass attacker stole password vault data, showing Web2’s limitations

December 23, 2022 Coin Telegraph

Coin Telegraph

LastPass users with weak master passwords may need to change the individual passwords they stored with the service.

Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.

Notice of Recent Security Incident - The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy
— Thomas Zickell (@thomaszickell) December 23, 2022

LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.

As a result, unencrypted customer metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

In addition, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Luckily, the vaults are encrypted with a Master Password, which should prevent the attacker from being able to read them.

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Even so, LastPass admits that if a customer has used a weak Master Password, the attacker may be able to use brute force to guess this password, allowing them to decrypt the vault and gain all of the customers’ website passwords, as LastPass explains:

“it is important to note that if your master password does not make use of the [best practices the company recommends], then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

Can password manager hacks be eliminated with Web3?

The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be scrapped in favor of blockchain wallet logins.

According to advocates for crypto wallet login, traditional password logins are fundamentally insecure because they require hashes of passwords to be kept on cloud servers. If these hashes are stolen, they can be cracked. In addition, if a user relies on the same password for multiple websites, one stolen password can lead to a breach of all others. On the other hand, most users can’t remember multiple passwords for different websites.

To solve this problem, password management services like LastPass have been invented. But these also rely on cloud services to store encrypted password vaults. If an attacker manages to obtain the password vault from the password manager service, they may be able to crack the vault and obtain all of the user’s passwords.

Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to sign in using a cryptographic signature, eliminating the need for a password to be stored in the cloud.

*An example of a crypto wallet login page. Source: Blockscan Chat*

But so far, this method has only been standardized for decentralized applications. Traditional apps that require a central server don’t currently have an agreed-upon standard for how to use crypto wallets for logins.

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called “EIP-4361,” the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire world wide web will eventually get rid of password logins altogether, eliminating the risk of password manager breaches like the one that has happened at LastPass.

Wallet

What is a multiparty computation crypto wallet?

Benefits and drawbacks of multiparty computation crypto wallets

Can password manager hacks be eliminated with Web3?

Share this video