Sometimes cryptocurrency wallet vulnerabilities are complicated and defy simple explanation.
Then there’s this breaking story from WalletGenerator.net – where a key piece of technology used to create crypto wallets was done in by a simple lack of randomization.
“For want of a nail…” is a saying that really comes into play here.
Looking at the context, we know that a lot of crypto holders rely on wallets for security. Experts warn of the dangers of keeping new crypto currency gains in exchanges where they can easily be pilfered – so they suggest putting them into these digital wallets. But if the digital wallet is extremely hackable, this may not turn out to be the best strategy.
Coinelegraph reports this week that individual researcher Harry Denley at MyCrypto found WalletGenerator’s vulnerability last week, realizing that the generator was giving the same private and public key pairs to multiple users.
The problem was stunningly simple – rather than generate a random number, which is quite easy to do in any basic programming code, the generator simply always assigned the number five.
“There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side,” Denley wrote in a blog post on Medium detailing the issue. “When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key / address. However, if the ‘super-random’ number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.’”
Cointelegraph reporter Max Boddy reports the finders of this fluke problem notified WalletGenerator, which expressed doubt about the allegations, but indeed reportedly patched up the problem.
The moral of the story here is that small mathematical problems can make a huge difference in cryptocurrency security.
This story is also relevant to investors who are looking for infrastructure and the emergence of systems that will protect cryptocurrency assets better than what’s already in place.
Keep an eye out for these kinds of security problems as regulators and everyone else evaluates crypto moving through 2019 and beyond.