Recent revelations by a cybersecurity firm, Unciphered, have brought to light a decade-old wallet vulnerability that could potentially jeopardize a staggering $2.1 billion worth of cryptocurrency. This vulnerability affects browser-based wallets created between 2011 and 2015 and spans across multiple networks, including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), and Zcash (ZEC).
Unearthing the Cryptocurrency Wallet Vulnerability
Unciphered stumbled upon this wallet vulnerability while trying to recover $600,000 in Bitcoin (BTC) for an early investor, Nick Sullivan, who had lost access to his wallet. Sullivan had initially created his Bitcoin wallet in 2014 using Blockchain.info (now Blockchain.com) and later lost access to his coins after inadvertently wiping his computer’s memory without saving his wallet’s private key.
During their investigation, Unciphered discovered that the code used by Blockchain.info for creating random wallet keys, known as BitcoinJS, did not make all of its wallets random enough, leaving them vulnerable to attacks. This vulnerability also extends to Dogecoin.info, which used the same BitcoinJS, thus exposing many old Dogecoin users to the same risk.
The Extent of the Wallet Vulnerability
According to Unciphered, wallets created before March 2012 hold approximately $100 million in assets that could be easily hacked by a home computer user. Moreover, another $50 billion is held in wallets created between then and 2015, with at least $500 million being vulnerable to attacks.
Although cryptographers identified flaws in wallet generation randomness back in 2014 and have since improved their methods, Unciphered did not find any wallets generated after 2016 suffering from weak randomness.
Alerting the Victims
Unciphered took the step of publicly disclosing this vulnerability, but not before quietly alerting affected users for months about the risk to their assets. The challenge was to convince millions of victims to move their funds without tipping off potential thieves about the vulnerability.
Blockchain.com, the largest site responsible for generating such wallets, was approached by Unciphered to discreetly notify affected users. Blockchain.com sent out emails to over 1.1 million affected wallet holders and found a way to automatically update the wallets of anyone who visited its site.
However, many affected users have not been directly warned as the sites they used to create their wallets are no longer operational.
For those who are concerned about their wallet’s security, platforms like cryptoview.io offer a comprehensive view of your cryptocurrency portfolio, allowing you to monitor your assets and stay informed about potential vulnerabilities.
Stay vigilant and protect your assets
