Phone call Edge storm, this Tuesday (14) a new vulnerability was revealed by Unciphered. In short, the flaw affects old Bitcoin wallets created between 2011 and 2015, putting up to R$12.4 billion worth of Bitcoin at risk.
“There is a storm coming on blockchain”writes Unciphered. “A storm big enough to have its own name. Edge storm. For reasons that will soon become clear, long-time cryptocurrency investors may need to seek shelter.”
“If you used any of the early blockchain platforms (especially between the years 2011 – 2015), you may have been affected.”
Basically, the vulnerability is related to BitcoinJS, a library used by various software to generate wallets. Some of the best-known names among those potentially affected include Blockchain.info (currently Blockchain.com), BitAddress, Bitgo, GreenAddress and CoinKite.
“BitcoinJS was used by many projects in early 2010. Below is a non-exhaustive list of projects that used BitcoinJS and their current status.”
“Not all of the above projects were affected”notes Unciphered, noting that each wallet may have been exposed to the vulnerability for a different amount of time.
The Randstorm vulnerability was found accidentally
The whole story begins with Nick Sullivanan investor who lost the password to a wallet containing around R$500,000 worth of Bitcoin and decided to hire a team of experts to get the amount back.
According to reports published by The Washington Post, experts were unable to recover the amount but discovered a vulnerability worth up to R$12.4 billion in other Bitcoin wallets.
On a special page, the Unciphered team emphasizes that they have been working on the vulnerability for 22 months (almost two years). As a highlight, the security company notes that the older the wallet is, the easier it can be hacked.
“We coordinated the disclosure with several entities and as a result, millions of investors have been alerted.”
“In January 2022, Unciphered performed work for a client who was locked into a Blockchain.com Bitcoin wallet. Investigating this portfolio and its paths to recovery led us to (re)discover a potential problem in portfolios generated by BitcoinJS (and derivatives projects) between 2011 – 2015.”says Unciphered.
“This may impact millions of cryptocurrency wallets generated between 2011 and 2015. The value of the assets remaining in these portfolios is significant. Unciphered has engaged the parties involved and has been working on solving the problem for over a year. However, we were not the first to realize this.”
As recently as 2015, reports indicated that browsers were unable to generate strong random numbers, leading to the abandonment of BitcoinJS. Later in 2018, other experts pointed out the vulnerability, but had no idea how extensive it was.
To summarize the vulnerability for laypeople, the team published a drawing. While it’s at the top “the entire modern digital infrastructure”all this is only supported by “a project created by a random person from Nebraska who has been running the project without support since 2003”.
Another curiosity is the name of the creator of BitcoinJS, Stefan Thomas. Last month, the programmer became famous for another story: he lost the password to a wallet containing R$1.2 billion in Bitcoin, but refused help to get the amount back.
“I was obsessed with making sure I didn’t make mistakes in my own code”Thomas told The Washington Post. “I’m sorry to anyone affected by this bug.”
What should you do if you think you have been affected by Randstorm?
On another special page, Unciphered highlights that today 1.4 million bitcoins are located in wallets generated with weak cryptography. The amount is estimated at R$248 billion. The conservative estimate throws the number at 35,000 to 70,000 exposed bitcoinsalthough smaller, the amount corresponds to values between R$6.2 billion and R$12.4 billion.
“If we conservatively estimate that only 3 to 5% of the portfolios generated during this period are affected, the current value of the coins at risk is between $1.2 and $2.1 billion (assuming 1 BTC = $30,000). ”
The security company continues its text, claiming that Bitcoin’s math is “safer than ever”. However, keep in mind that former investors should move their savings into new portfolios if they are concerned about the vulnerability involved.
“If you have created a wallet that you believe is affected by this vulnerability, we recommend that you move your assets to a more recently generated wallet created by trusted software.”
In August this year, another team discovered another flaw in old wallets (made between 2014 and 2022). The vulnerability, called Milk Sad, affected fewer people but also raised concerns among several investors.
About the Edge stormthe name is a mixture of Edgeto (arbitrary) and Storm (storm), focusing on the problems of low randomness during the creation of some wallets. Below are three links with more information about the outage.
Failure Announcement: https://www.unciphered.com/blog/disclosure-of-vulnerable-bitcoin-wallet-library
Technical explanation: https://www.unciphered.com/blog/randstorm-you-cant-patch-a-house-of-cards
Frequently Asked Questions: https://www.unciphered.com/randstorm
Source: Live Coins
Barry Siefert is an accomplished journalist and author at The Nation View. He is known for his expertise in the field of cryptocurrency, and has written extensively on the topic. With a background in finance and economics, Barry has a deep understanding of the underlying technology and market forces that drive the crypto industry.