Cryptocurrency Wallets Face Potential Threat from ‘Randstorm’ Flaw

Cryptocurrency Wallets Face Potential Threat from ‘Randstorm’ Flaw

Cryptocurrency recovery company Unciphered has unearthed a vulnerability in the widely-used JavaScript Bitcoin library, BitcoinJS, posing a risk to the security of private keys in numerous wallets.

Discovery of the Vulnerability

The flaw, identified during a routine wallet recovery for a client, was traced back to a series of programming errors within the BitcoinJS library. This vulnerability has been linked to weaknesses in the SecureRandom() function, with initial reports of such issues dating back to 2015.

Scale of the Risk

Unciphered’s investigation suggests that millions of cryptocurrency wallets created between 2011 and 2015 could be at risk. They estimate around 1.4 million bitcoins, valued between 1.2 to 2.1 billion USD, are potentially vulnerable. This vulnerability could impact a wide range of users, depending on various factors like the duration of code usage and the size of the user base during the affected period.

Technical Aspects of the Vulnerability

The vulnerability primarily affects wallets where components like the wallet GUID or IV were generated using the compromised Math.random() function. This reduces the computational effort required for an attack, making it more feasible for potential attackers.

Broader Implications for Open Source Software

Unciphered points out that this issue is indicative of larger concerns surrounding open source software reliability. They highlight that many substantial software projects rely on third-party libraries, which may be under-resourced or even abandoned, as depicted in an XKCD comic included in their report. This situation underscores the importance of thorough code audits and verification, especially in software that handles sensitive financial information.

Preventive Measures and Ongoing Threats

Although there have been no known exploitations of the Randstorm vulnerability yet, the potential for future attacks remains. Unciphered recommends that users of potentially affected wallets should transfer their assets to new, secure wallets. This precautionary measure is crucial given the rising interest of threat actors in targeting cryptocurrency platforms and assets.

Continued Vigilance in the Crypto Space

The revelation of the Randstorm flaw serves as a reminder of the continuous need for vigilance and proactive security measures within the cryptocurrency ecosystem. Developers, users, and stakeholders must remain alert to such vulnerabilities to safeguard their digital assets effectively.

    Newsletter | Every weekday

    Smart Central News Weekly Briefing

    Only top industry news of the week in your inbox