Blockchain security experts have issued a stern warning about a major flaw in old cryptocurrency wallets that puts billions of dollars in crypto assets at risk of being stolen.
Unciphered, the blockchain company that specializes in breaking into cryptocurrency wallets, released a report this week revealing the vulnerability dubbed Randstorm, which it said, affects millions of cryptocurrency wallets generated using web browsers from 2011 until 2015.
The Randstorm vulnerability deals with Bitcoin JS, a known JavaScript library that is used to generate crypto wallets.
This particular JavaScript used vulnerable, open-source code from a Stanford University student’s page, according to a report. It prevented wallets from adding sufficient randomness when generating cryptographic keys.
The said vulnerable code persisted in BitcoinJS until March 2014, by that time, multiple crypto wallets and platforms had integrated the JavaScript library, with some of the projects still online although some have been gone for years.
“While examining this wallet, and avenues for recovery, it led us to (re)discover a potential issue in wallets generated by BitcoinJS (and derivative projects) between 2011 and 2015. This potentially affects millions of cryptocurrency wallets that were generated in the 2011-2015 timeframe. The value of assets still in those wallets is sizable,” Unciphered explained.
The team also warned that while the work needed to exploit the impacted crypto wallets varies significantly, it increases over time and emphasized that wallets generated in 2014 are more difficult to attack.
“We can confirm that this vulnerability is exploitable, however, the amount of work necessary to exploit wallets varies significantly and, in general, considerably increases over time. That is to say, as a rule, impacted wallets generated in 2014 are substantially more difficult to attack than impacted wallets generated in 2012,” the report read.
The team also disclosed that it had communicated with vendors about its findings to warn them of the issue.
“We have reached out to the vendors that we were able to identify in order to alert them to this issue,” Unciphered said, before adding, “As a result of this, over a million users have received alerts advising them that their cryptocurrency wallets are potentially vulnerable.”
Moreover, the report disclosed that several blockchains and projects in the cryptocurrency industry could be affected by Randstorm, including Bitcoin, Dogecoin, Litecoin and ZCash.
“In addition to Bitcoin, it seems probable that there are Dogecoin wallets which are also affected by this vulnerability, as well as possibly Litecoin and Zcash wallets. Dogechain.info is a popular Dogecoin explorer that offers wallet generation services, derived from BitcoinJS, starting from December of 2013,” Unciphered reported.