Crypto cybersecurity firm Unciphered has unearthed a decade-old crypto wallet bug affecting browser-based wallets generated between 2011 and 2015.
The bug may allow nefarious actors to steal up to $2.1 billion from wallets on various networks, including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), and Zcash (ZEC).
Discovering An Ancient Bug
In an interview with the Wall Street Journal, the Unciphered team explained that they’d accidentally discovered the bug during a failed attempt to recover an early investor’s $600,000 in lost Bitcoin (BTC).
The entrepreneur, Nick Sullivan, created his Bitcoin wallet back in 2014 using the website Blockchain.info (since renamed to Blockchain.com). Later, he accidentally lost access to his coins after wiping his computer’s memory without remembering to record his wallet’s private key.
At Sullivan’s request, Unciphered began searching for Sullivan’s coins in January 2022. Though they ultimately lacked enough information to get them back, they realized in the process that Blockchain.info’s code for creating random wallet keys – BitcoinJS – did not make all of its wallets random enough.
“BitcoinJS is terribly broken up till March 2014,” said Unciphered co-founder Eric Michaud. “Anyone directly using it is on the very high end of risk to attack.”
Another wallet site, Dogecoin.info, also used BitcoinJS, leaving many old Dogecoin users exposed to the same vulnerability.
Unciphered claims that wallets made before March 2012 contain $100 million in assets that could easily be hacked by a home computer user. Another $50 billion is held in wallets created between then and 2015, of which at least $500 million is vulnerable.
Cryptographers discovered flaws in wallet generation randomness back in 2014, and improved their methods since. Unciphered said it hadn’t discovered any wallets generated after 2016 suffering from weak randomness.
How to Tell Victims?
Unciphered came public with the vulnerability this week, but has been quietly warning affected users that their assets are at risk for months.
The challenge was convincing millions of victims to move their funds without revealing the vulnerability to thieves who would otherwise leverage it to steal coins.
Unciphered ultimately decided to go to the biggest site responsible for generating such wallets that might be in a position to discretely notify affected users. That site ended up being the one Sullivan used – Blockchain.com.
The site sent out emails to holders of over 1.1 million affected wallets and found a way to automatically update the wallets of anyone who visited its site.
“In crypto, you need to be pretty skeptical of people who call with something that sounds dramatic, because there are so many scammers,” Blockchain.com President Lane Kasselman said regarding Unciphered’s warning. “It was unclear who they were and what the scope of it was.”
Many affected users still haven’t been warned directly since the sites they used to create their wallets are now out of business.