Israeli startup exposes security vulnerabilities for banks
Israeli blockchain cyber startup, GK8, which provides a high security custody solution for safeguarding and managing digital assets, has identified inherent vulnerabilities in Multi-Party-Computation networks (MPC), which serve as the foundation for safeguarding blockchain assets such as Bitcoin and any cryptocurrencies by banks and exchanges.
According to the company, the critical vulnerabilities can derail the process of adopting digital assets by banks and financial institutions in the US and around the world.
In Multi-Party Computation networks, several independent and remote PCs are involved in the signing ceremony of any blockchain transaction. MPC security is based on dividing each private key into shards and only by piecing all of them together is the key then revealed.
"MPCs have two main vulnerabilities,’’ said Lior Lamesh, CEO and Co-founder of GK8. "The first one is that they rely on the network of co-signers to be always connected to the internet. Even if their algorithms are extremely sophisticated, a skilled hacker with enough effort and persistence will eventually identify an attack vector in each of the co-signers and compromise the entire MPC network.
“The second vulnerability has to do with the size of the MPC network being deployed. MPCs are typically programmed in a way that once the majority of PCs in the MPC network (usually 2 out of 3, or 3 out of 4) provide their shard of the key, the request to execute the transaction is authorised. What this means for hackers, is that they simply need to hack into one or two additional PCs to complete their takeover of the valuable keys. While this entails considerably more effort from the hacker, in today’s lucrative crypto market, hackers will consider investing millions in order to steal billions.
According to Lamesh, expanding the MPC network to include more co-signers is not a feasible option, as expansion of regular MPC networks creates serious performance implications, making legitimate transactions to the blockchain slow and inefficient. Hence, the largest MPC networks in the market today typically don’t exceed 5 PCs.
To solve the challenge posed by MPC’s inherent vulnerabilities, GK8 has developed a truly air-gapped vault, which is never connected to the internet, and therefore cannot be hacked. The vault is where the keys for the vast majority of digital assets are stored, with MPCs controlling just a fraction of the assets. The vault is connected with a unidirectional connection to the MPC, in a way that signed transactions can only go out from the vault, never in.
On top of the unique vault, GK8 has a patented solution that enables to add dozens of PCs to the custodian MPC network – with no impact on network performance. “This is far more than just safety in numbers,” explained Lamesh. “the ability to add dozens of automated co-signers to any MPC network changes the equation for hackers, setting up a barrier whose breach would by definition require spending more than ever getting in return”.
According to Lamesh, customer demand for crypto services creates strong incentive for banks to enter the cryptocurrency domain, but banks are hesitant to do so in light of the associated security risks. “This is understandable, considering that as much as $4.5 Billion in crypto were stolen in 2019 alone. That’s why it's imperative for banks to seek a secured platform that mitigates hacker attacks that can result not just in loss of digital assets, but also in severe reputational damage.”
GK8 was founded in July 2018 by CEO Lior Lamesh and CTO Shahar Shamai, who previously protected the State of Israel’s strategic assets against cyber attacks. GK8’s investors and advisory board includes Check Point Founder Marius Nacht, Israel Discount Bank, Zcash founding scientist Professor Eran Tromer and former head of an Israeli intelligence cyber security unit, Ilan Levanon.