Bitcoin Wallets Created Before 2016 May Be Vulnerable – Billions at Risk?
Early crypto adopters and participants in a number of blockchain platforms between 2011-2015 may be affected by a major threat.
Over the last 22 months, Unciphered says, the team has been working on a vulnerability that affected BitcoinJS, a package for the browser-based generation of crypto wallets.
As the package was very popular, the vulnerability caused the generation of “a significant number “of vulnerable crypto wallets over the years.
According to Unciphered’s website,
“By our estimates approximately 1.4M BTC are sitting in wallets that were generated with potentially weak cryptographic keys. If we conservatively estimate that only 3-5% of wallets generated during that time were affected, the current value of coins at risk is between 1.2 – 2.1Billion USD (assuming 1 BTC=$30,000).”
A number of experts have been warning about it since 2018, they added.
The issue has been named Randstorm.
Per Unciphered’s website,
“Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when brought in contact with each other, combine to dramatically reduce the quality of random numbers produced by web browsers of a certain era (2011-2015).”
Meaning, they’re not quite as random as they should be.
At this time, the team will not provide more details on the exploitation of this vulnerability. This is done to give owners time to move their funds and avoid providing additional information to bad actors who are already at work.
Today we release our work on Randstorm: a vulnerability affecting a significant number of browser generated cryptocurrency wallets https://t.co/CebdytNaC6
— Unciphered LLC (@uncipheredLLC) November 14, 2023
Software Version Is Crucial
The mathematical underpinnings of bitcoin and blockchain remain strong, the team stressed. The issue is a series of programming mistakes “widely shared across many technologies.”
The software version used is particularly critical, the team said. Blockchain.info wallets, for example, created before March 2012, or other wallets created using the open-source version of BitcoinJS prior to crucial March 2014 updates, are at more risk.
BitcoinJS was used by many projects in the early 2010s, including the projects below.
The team stresses that not all of the projects mentioned are affected.
For those that are, the impact varies depending on how long they utilized the vulnerable code, additional mitigations put in place, and the size of the user base at the time.
The team did confirm that the found vulnerability is exploitable. But the amount of work necessary to exploit wallets varies and increases over time: impacted wallets generated in 2014 are substantially more difficult to attack than those generated in 2012.
It’s Not Over
Unciphered disclosed the issue to Blockchain.com, Bitgo, Block.io, Dogechain.info, Bitpay, Blockstream Green, Bitaddress.org, Coinkite, and BitcoinJS.
“As a result of this, over a million users have received alerts advising them that their cryptocurrency wallets are potentially vulnerable and urging them to move their assets to more recently generated wallets.”
And BTC is not the only coin potentially affected – wallets of many altcoins may be, too.
For example, Unciphered researchers verified that the same flaws exist with DOGE wallet generation in the same period.
Lastly, the team warned that users may have only hours or days to save their funds.
“We can’t do more to protect you. Now you have to protect yourself. Move your money to a new wallet. Just as soon as you can.”
Users can check whether their wallets are vulnerable at www.keybleed.com.