Unciphered pointed out the risks of losing $2.1 billion in BitcoinJS wallets

[Lord777]

Created between 2011 and 2015, more than 1 million BitcoinJS wallets and their derivatives contain the Randstorm vulnerability. It can lead to hacking and the loss of $2.1 billion held on them, according to Unciphered.

Today we release our work on Randstorm: a vulnerability affecting a significant number of browser generated cryptocurrency wallets

https://t.co/CebdytNaC6

Reporting @washingtonpost

https://t.co/OzYDq2tH4W

Technical write-up:

https://t.co/HPqjtaX1CA

#Bitcoin #blockchain pic.twitter.com/aN7CZh9sv4
— Unciphered LLC (@uncipheredLLC) November 14, 2023

In addition to bitcoin, Dogecoin, Litecoin and ZCash wallets may be at risk.

The software provider has notified the owners of the need to move crypto assets from the old addresses.

In the report, experts emphasized that BitcoinJS wallets are easy to set up, which has provided them with a large market share. The easiest way to hack those that were created before March 2012.

According to experts, the source of the vulnerability is the SecureRandom() function from the JSBN javascript library (it was used until March 2014), combined with weaknesses in the main browser implementations of Math.random().

 

[Lord777]

Researchers at Unciphered warn about the appearance of an exploit called Randstorm, which allows access to crypto wallets on various blockchain platforms created between 2011 and 2015.

Randstorm is a term used to describe a set of bugs that contributed to the creation of wallets with potentially weak cryptographic keys.

At the same time, according to researchers, the total volume of generated crypt on them reaches about 1.4 million BTC.

Assuming that only 3-5% of the wallets created during this time were affected, the current value of the coins at risk is between $ 1.2 billion and $ 2.1 billion (if 1 BTC = $ 30,000).

The problem was discovered in January 2022, when specialists were involved in the execution of an order that had access to the wallet blocked Blockchain.com.

But even earlier, a researcher with the pseudonym ketamine encountered it back in 2018.

The essence of the vulnerability is related to the use of BitcoinJS, an open source JavaScript package, in the development of browser applications for cryptocurrency wallets.

In particular, Randstorm is based on the package's use of the SecureRandom() function in the JSBN javascript library in combination with cryptographic weaknesses that existed at that time in the implementation of the Math.random () function by web browsers, which allowed weak pseudo-random numbers.

Later in March 2014, BitcoinJS developers stopped using JSBN, but the problem remained and can be used to organize brute-force attacks and restore private wallet keys generated using the BitcoinJS library (or projects dependent on it).

The easiest way to hack wallets created before March 2012.

The results once again shed new light on the dependency security issues underlying open source software infrastructure, showing how vulnerabilities in such fundamental libraries can cause cascading supply chain risks, as was the case with Apache Log4j in 2021.

The flaw was already embedded in wallets created with the affected software, and it will remain there forever, unless funds are transferred to a new wallet created with the new software.

You can check if your wallet is vulnerable on the site www.keybleed[.]com.