The integrity of Bitcoin wallets predating 2016 is under scrutiny, with a potential vulnerability that could jeopardize over $1 billion in cryptocurrency, as reported by the Washington Post. The flaw, dubbed “Randstorm,” is believed to be embedded in the design of an unknown number of crypto wallets, creating a backdoor for hackers to exploit. The discovery was made by Unciphered, a firm specializing in cryptocurrency recovery. The company found that the vulnerability lies in the inadequate randomness of the numbers used in the encryption of these wallets.
Cryptocurrency wallets, like many encrypted software systems, depend on random number generators for security. However, Unciphered discovered that a significant number of wallets were built on open-source software that used numbers that were not sufficiently random. The flawed wallets use keys with numbers that are one in several thousand, as opposed to the more secure one in a trillion.
This makes them an easy target for brute-force attacks, where hackers systematically try all possible combinations until they find the correct one. In an attempt to mitigate the potential damage, Unciphered has reached out to over a million people to inform them about the vulnerability. However, it is believed that millions more could be affected. Wallet owners can verify if they are at risk by visiting keybleed.com.
The vulnerability reportedly originates from a software called Libbitcoin, used to create wallets by several popular crypto platforms. These include Blockchain.info (now Blockchain.com), Dogechain.info (the primary source of wallets for Dogecoin), and numerous other websites.
Eric Michaud, co-founder of Unciphered, warned that anyone using a wallet built with Libbitcoin is at a high risk of attack. Wallets created before March 2012 are particularly unsafe. While most wallets created between 2012 and late 2015 are considered secure, Unciphered estimates that at least two percent could be vulnerable. The firm notes that the random number generators used in the crypto community have since improved, and any new wallets should be safe from this specific issue. No wallets created after 2016 have been found to contain the Randstorm flaw. Blockchain.com, the most popular site still operating that used the flawed software, has implemented an automatic update for users’ wallets when they visit the platform. The company has also sent emails to 1.1 million affected customers. According to Blockchain.com, the problem was only present in two percent of the 90 million wallets it created over the years.
However, millions of other users may still be exposed to the vulnerability. If their wallets were obtained from companies that have since ceased operations, there may be no way to directly notify them of the risk. This revelation underscores the importance of robust security measures in the cryptocurrency world. As the technology continues to evolve, so too must the safeguards protecting it. It serves as a reminder for users to regularly update their wallets and stay informed about potential vulnerabilities.