Researchers have identified vulnerabilities in legacy storage systems containing Bitcoin. However, the company asserts that other cryptocurrencies, including Dogecoin, and stablecoins such as Litecoin and Zcash, may also be at risk.
After an exhaustive 22-month-long investigation, cybersecurity firm Unciphered has revealed in its latest report that up to $2.1 billion in cryptocurrency could be at risk because of a vulnerability in how old wallets were generated using BitcoinJS and derivative projects.
The vulnerability is dubbed Randstorm, impacting browser-generated wallets created between 2011 and 2015. It has impacted millions of digital currency wallets, claimed Unciphered.
These wallets could be exposed to crypto theft as the company believes adversaries can exploit the issue to generate private keys and use them to steal the funds stored in the impacted wallets.
“The source of the vulnerability is the SecureRandom() function found in the JSBN javascript library, combined with weaknesses that existed in major browser implementations of Math.random(). BitcoinJS utilized the JSBN library until March 2014,” the company explained in its report. “Other projects incorporated early versions of BitcoinJS for the generation of Bitcoin and other cryptocurrency wallets,” the report read.
The company believes that numerous blockchain projects could be affected. Unciphered discovered the issues in old storages holding Bitcoin, but the company believes other cryptocurrencies, including Dogecoin and stablecoins, such as Litecoin and Zcash, could be impacted.
Unciphered didn’t disclose more details on the vulnerability. However, it has been confirmed that millions have been alerted to the issue. The company recommended that investors transfer their funds to new wallets.
“If you are an individual who has generated a self-custody wallet using a web browser before 2016, you should consider moving your funds to a more recently created wallet generated by trusted software”, the company noted.
However, not all wallets could be impacted similarly because the issue exploits different aspects of a digital currency. It is also difficult to determine the exact time frame for the issue except that it impacts the wallets generated between 2011 and 2015.
The company also confirmed that the vulnerability was exploitable, but the amount of work required to exploit wallets varies considerably. For example, wallets generated in 2014 are hard to compromise compared to those generated in 2012.
Unciphered has released a technical write-up to help wallet providers, and developers understand and fix the issue. BitcoinJS is aware of the issue and posted an advisory on their GitHub page, asking users of the BitcoinJS ecosystem to audit and verify underlying code for suitability and validity.
Unciphered’s report highlights the importance of protecting your cryptocurrency assets. Always store funds in secure wallets and be aware of the risks associated with old wallets. Using strong passwords, enabling multiple verification mechanisms, and storing your private keys offline are crucial to securing your wallets.