A cryptocurrency recovery startup, Unciphered, publicly disclosed vulnerabilities in BitcoinJS-based wallets. The wallets at risk are those created between 2011 and 2016. The firm also boasts the largest coordinated disclosure on the incident.
Unciphered named the flaw “Randstorm.” The name Randstorm refers to the lack of randomness in the creation of cryptographic keys by wallet programs. “Instead of crafting electronic keys that were one in a trillion and therefore very hard for an outsider to forge, they made keys that were one in some number of thousands — a randomness factor easily hacked.”
Today we release our work on Randstorm: a vulnerability affecting a significant number of browser generated cryptocurrency wallets https://t.co/CebdytNaC6— Unciphered LLC (@uncipheredLLC) November 14, 2023
Reporting @washingtonpost https://t.co/OzYDq2tH4W
Technical write-up: https://t.co/HPqjtaX1CA #Bitcoin #blockchain pic.twitter.com/aN7CZh9sv4
The discovery was made by Unciphered while providing recovery services to an investor who had lost his passwords. Although the firm couldn’t recover the Bitcoins, they stumbled upon a potential method to compromise other software wallets and steal $1 billion or more. In the interest of wallet owners’ safety, the firm decided to make this information public, but without providing enough details for fraudsters to exploit the cracking method.
The affected wallets were created using BitcoinJS, a program that incorporated code from a program found on a Stanford University student’s webpage. According to Chris Wysopal, the vulnerable library is bitcoinjs-lib.
The investor in question had created a wallet on Blockchain.info (now Blockchain.com) back in 2014. After inadvertently wiping his computer’s memory, he realized that he had lost his passwords. Unciphered has been working on the recovery since January 2022, but unfortunately, the information provided by the investor has not been sufficient to recover the wallet.
According to Nick Bax, an X user familiar with the firm, over a million holders have been notified to migrate their crypto assets from old addresses.
He mentioned that BitcoinJS wallets have a significant market share, attributing it to their easy setup. This ease of setup may have also contributed to the increase in crypto adoption.
The exact number of affected wallets is still unknown. Nick Bax stated, “Estimating the total impacted amount is challenging due to the large uncertainties and nuances involved.”
Additionally, users who do not store their crypto assets on a BitcoinJS wallet are advised to transfer their assets from old wallets.
What do you think of this article? Share comments below.