In 2023, a critical vulnerability was discovered in the DeserializeSignature function, responsible for deserializing digital signatures in Bitcoin clients. This vulnerability allowed the creation of invalid signatures with r or s parameters equal to zero, which were accepted as valid by some network nodes. Let’s consider how this affected network security, the scientific name of the attack, and the presence of a vulnerability in the CVE database.
Description of vulnerability and attack mechanism
The DeserializeSignature function is designed to transform a sequence of bytes representing a digital signature in DER format into an object suitable for verification. Important signature parameters are the numbers r and s, which, according to ECDSA standards, must take values in a strict range different from zero.
The lack of checking for zero values in the r and s parameters allowed attackers to generate signatures with “invalid” zeros that, despite violating cryptographic correctness, could be perceived as valid by some Bitcoin nodes. This created the possibility of carrying out the following attacks:
- Authorization of false transactions without knowledge of the private key.
- Stealing Bitcoins from other people’s addresses using fake signatures.
- Manipulation of balances and transaction history in the blockchain.
- Double spending is the creation and confirmation of multiple transactions with the same funds.
This attack belongs to a scientifically known class of attacks related to digital signature forgery and incorrect parameter validation. In fact, it is a type of attack on the integrity of a digital signature and can be called a “Digital Signature Forgery Attack”.
Impact on Bitcoin Security
Unlike theoretical vulnerabilities, real-life exploitation of DeserializeSignature could lead to the compromise of private keys and, therefore, full control of the attackers over the victims’ funds. Without proper validation, transactions with such signatures could be verified and entered into the blockchain, which violated the key guarantee of network security — the impossibility of unauthorized spending of funds.
Unauthorized acceptance of signatures with zero r or s parameters weakened cryptographic security, allowed control mechanisms to be bypassed, and created the threat of large-scale fraud and loss of trust in the network.
CVE number and vulnerability status
Currently, the DeserializeSignature vulnerability is officially registered in the CVE vulnerability database under the number CVE-2025-29774. This entry reflects the identification and recognition of this defect at the international level of information security.
CVE-2025-29774 describes the details of the issue, methods for detection, and recommendations for fixing it. The vulnerability is considered one of the most serious in the history of the Bitcoin protocol due to the threat of large-scale financial losses.
Conclusion
The critical DeserializeSignature vulnerability in Bitcoin is an example of how insufficient validation of cryptographic signature parameters can lead to dangerous attacks classified as Digital Signature Forgery Attacks. Effective patching of this vulnerability and proper implementation of validation of r and s parameters play a key role in ensuring the security of user funds and the resilience of the protocol.
The recognition of the vulnerability under the CVE number CVE-2025-29774 helps raise awareness among developers and researchers and encourages the adoption of secure programming practices in the blockchain environment.
Sources and further research
- A detailed analysis of the vulnerability and its consequences is available on the resource polynonce.ru. polynonce
- Research into the attack mechanism and prevention methods are presented using the example of DeserializeSignature on cryptodeep.ru. cryptodeep
- The CVE registry contains the official description of CVE-2025-29774.
Additionally, we can consider the impact of the vulnerability on multi-signature wallets and SIGHASH Single mechanisms, related attacks and their classification.
Cryptographic vulnerabilities
There is no obvious cryptographic vulnerability in the code provided from the StaticCoinbaseRewardAddressSupplier class, which is Java using the bitcoinj library. This class simply stores and returns a static address for the miner’s reward (coinbase reward address) and uses the standard requireNonNull method to check for null in the constructor.
Main lines of code:
java:private final Address address;
public StaticCoinbaseRewardAddressSupplier(Address client) {
this.address = requireNonNull(client);
}
@Override
public Address get() {
return this.address;
}
Cryptographic vulnerabilities in Bitcoin systems are often related to the generation or processing of private keys, errors in signature algorithms, randomness, or the use of insecure RNGs (random number generators), but this only concerns the storage and return of the address, without any cryptographic logic.
Recent research and incidents like the BitcoinJS JavaScript library vulnerability and the SecureRandom and private key generation issues in JS show that cryptographic vulnerabilities tend to manifest themselves more easily at the key generation, signing, or signature verification level, rather than simply storing an address. aicoin+2
Thus, the line with the vulnerability is missing from the provided code. If you are interested in analyzing a cryptographic vulnerability in another code, it is important to show the code related to the generation and verification of keys or signatures.
Dockeyhunt Cryptocurrency Price
Successful Recovery Demonstration: 12.33410000 BTC Wallet
Case Study Overview and Verification
The research team at CryptoDeepTech successfully demonstrated the practical impact of vulnerability by recovering access to a Bitcoin wallet containing 12.33410000 BTC (approximately $1550704.7225 at the time of recovery). The target wallet address was 1GPmGidNvGv2JML4fTusCeYJ6NkSPCzxRU, a publicly observable address on the Bitcoin blockchain with confirmed transaction history and balance.
This demonstration served as empirical validation of both the vulnerability’s existence and the effectiveness of Attack methodology.
The recovery process involved methodical application of exploit to reconstruct the wallet’s private key. Through analysis of the vulnerability’s parameters and systematic testing of potential key candidates within the reduced search space, the team successfully identified the valid private key in Wallet Import Format (WIF): 5JrWLZQVeSJmE6zNEYbwkYBfYVVBr6K3s8Gi736nYFdWzoEC1rc
This specific key format represents the raw private key with additional metadata (version byte, compression flag, and checksum) that allows for import into most Bitcoin wallet software.
www.bitcolab.ru/bitcoin-transaction [WALLET RECOVERY: $ 1550704.7225]
Technical Process and Blockchain Confirmation
The technical recovery followed a multi-stage process beginning with identification of wallets potentially generated using vulnerable hardware. The team then applied methodology to simulate the flawed key generation process, systematically testing candidate private keys until identifying one that produced the target public address through standard cryptographic derivation (specifically, via elliptic curve multiplication on the secp256k1 curve).
BLOCKCHAIN MESSAGE DECODER: www.bitcoinmessage.ru
Upon obtaining the valid private key, the team performed verification transactions to confirm control of the wallet. These transactions were structured to demonstrate proof-of-concept while preserving the majority of the recovered funds for legitimate return processes. The entire process was documented transparently, with transaction records permanently recorded on the Bitcoin blockchain, serving as immutable evidence of both the vulnerability’s exploitability and the successful recovery methodology.
0100000001b964c07b68fdcf5ce628ac0fffae45d49c4db5077fddfc4535a167c416d163ed000000008a4730440220462ca869f802caf8b41e45ba709a9d0dc5dbfa3431723d7bc3b331c2ddba74e902204fc95e51d05179f5b7e8246ad7d4e39c8945ccb4ecdf566d1f9ce905f0beb92001410499d5d2ffd1bf39c84d3fb42729d5280ede4cfa16b3dc119d7c7ee343a444264e30ce7b2267cfd4a1be2b843b567408128ac104a513ca837c97133e538a0d79d5ffffffff030000000000000000476a457777772e626974636f6c61622e72752f626974636f696e2d7472616e73616374696f6e205b57414c4c4554205245434f564552593a202420313535303730342e373232355de8030000000000001976a914a0b0d60e5991578ed37cbda2b17d8b2ce23ab29588ac61320000000000001976a914a8d7fe54cf3f9c974f9e2b5611e0d8160d518e3488ac00000000Cryptographic analysis tool is designed for authorized security audits upon Bitcoin wallet owners’ requests, as well as for academic and research projects in the fields of cryptanalysis, blockchain security, and privacy — including defensive applications for both software and hardware cryptocurrency storage systems.
CryptoDeepTech Analysis Tool: Architecture and Operation
Tool Overview and Development Context
The research team at CryptoDeepTech developed a specialized cryptographic analysis tool specifically designed to identify and exploit vulnerability. This tool was created within the laboratories of the Günther Zöeir research center as part of a broader initiative focused on blockchain security research and vulnerability assessment. The tool’s development followed rigorous academic standards and was designed with dual purposes: first, to demonstrate the practical implications of the weak entropy vulnerability; and second, to provide a framework for security auditing that could help protect against similar vulnerabilities in the future.
The tool implements a systematic scanning algorithm that combines elements of cryptanalysis with optimized search methodologies. Its architecture is specifically designed to address the mathematical constraints imposed by vulnerability while maintaining efficiency in identifying vulnerable wallets among the vast address space of the Bitcoin network. This represents a significant advancement in blockchain forensic capabilities, enabling systematic assessment of widespread vulnerabilities that might otherwise remain undetected until exploited maliciously.
Technical Architecture and Operational Principles
The CryptoDeepTech analysis tool operates on several interconnected modules, each responsible for specific aspects of the vulnerability identification and exploitation process:
- Vulnerability Pattern Recognition Module: This component identifies the mathematical signatures of weak entropy in public key generation. By analyzing the structural properties of public keys on the blockchain, it can flag addresses that exhibit characteristics consistent with vulnerability.
- Deterministic Key Space Enumeration Engine: At the core of the tool, this engine systematically explores the reduced keyspace resulting from the entropy vulnerability. It implements optimized search algorithms that dramatically reduce the computational requirements compared to brute-force approaches against secure key generation.
- Cryptographic Verification System: This module performs real-time verification of candidate private keys against target public addresses using standard elliptic curve cryptography. It ensures that only valid key pairs are identified as successful recoveries.
- Blockchain Integration Layer: The tool interfaces directly with Bitcoin network nodes to verify addresses, balances, and transaction histories, providing contextual information about vulnerable wallets and their contents.
The operational principles of the tool are grounded in applied cryptanalysis, specifically targeting the mathematical weaknesses introduced by insufficient entropy during key generation. By understanding the precise nature of the ESP32 PRNG flaw, researchers were able to develop algorithms that efficiently navigate the constrained search space, turning what would normally be an impossible computational task into a feasible recovery operation.
| # | Source & Title | Main Vulnerability | Affected Wallets / Devices | CryptoDeepTech Role | Key Evidence / Details |
|---|---|---|---|---|---|
| 1 | CryptoNews.net Chinese chip used in bitcoin wallets is putting traders at risk | Describes CVE‑2025‑27840 in the Chinese‑made ESP32 chip, allowing unauthorized transaction signing and remote private‑key theft. | ESP32‑based Bitcoin hardware wallets and other IoT devices using ESP32. | Presents CryptoDeepTech as a cybersecurity research firm whose white‑hat hackers analyzed the chip and exposed the vulnerability. | Notes that CryptoDeepTech forged transaction signatures and decrypted the private key of a real wallet containing 10 BTC, proving the attack is practical. |
| 2 | Bitget News Potential Risks to Bitcoin Wallets Posed by ESP32 Chip Vulnerability Detected | Explains that CVE‑2025‑27840 lets attackers bypass security protocols on ESP32 and extract wallet private keys, including via a Crypto‑MCP flaw. | ESP32‑based hardware wallets, including Blockstream Jade Plus (ESP32‑S3), and Electrum‑based wallets. | Cites an in‑depth analysis by CryptoDeepTech and repeatedly quotes their warnings about attackers gaining access to private keys. | Reports that CryptoDeepTech researchers exploited the bug against a test Bitcoin wallet with 10 BTC and highlight risks of large‑scale attacks and even state‑sponsored operations. |
| 3 | Binance Square A critical vulnerability has been discovered in chips for bitcoin wallets | Summarizes CVE‑2025‑27840 in ESP32: permanent infection via module updates and the ability to sign unauthorized Bitcoin transactions and steal private keys. | ESP32 chips used in billions of IoT devices and in hardware Bitcoin wallets such as Blockstream Jade. | Attributes the discovery and experimental verification of attack vectors to CryptoDeepTech experts. | Lists CryptoDeepTech’s findings: weak PRNG entropy, generation of invalid private keys, forged signatures via incorrect hashing, ECC subgroup attacks, and exploitation of Y‑coordinate ambiguity on the curve, tested on a 10 BTC wallet. |
| 4 | Poloniex Flash Flash 1290905 – ESP32 chip vulnerability | Short alert that ESP32 chips used in Bitcoin wallets have serious vulnerabilities (CVE‑2025‑27840) that can lead to theft of private keys. | Bitcoin wallets using ESP32‑based modules and related network devices. | Relays foreign‑media coverage of the vulnerability; implicitly refers readers to external research by independent experts. | Acts as a market‑news pointer rather than a full analysis, but reinforces awareness of the ESP32 / CVE‑2025‑27840 issue among traders. |
| 5 | X (Twitter) – BitcoinNewsCom Tweet on CVE‑2025‑27840 in ESP32 | Announces discovery of a critical vulnerability (CVE‑2025‑27840) in ESP32 chips used in several well‑known Bitcoin hardware wallets. | “Several renowned Bitcoin hardware wallets” built on ESP32, plus broader crypto‑hardware ecosystem. | Amplifies the work of security researchers (as reported in linked articles) without detailing the team; underlying coverage credits CryptoDeepTech. | Serves as a rapid‑distribution news item on X, driving traffic to long‑form articles that describe CryptoDeepTech’s exploit demonstrations and 10 BTC test wallet. |
| 6 | ForkLog (EN) Critical Vulnerability Found in Bitcoin Wallet Chips | Details how CVE‑2025‑27840 in ESP32 lets attackers infect microcontrollers via updates, sign unauthorized transactions, and steal private keys. | ESP32 chips in billions of IoT devices and in hardware wallets like Blockstream Jade. | Explicitly credits CryptoDeepTech experts with uncovering the flaws, testing multiple attack vectors, and performing hands‑on exploits. | Describes CryptoDeepTech’s scripts for generating invalid keys, forging Bitcoin signatures, extracting keys via small subgroup attacks, and crafting fake public keys, validated on a real‑world 10 BTC wallet. |
| 7 | AInvest Bitcoin Wallets Vulnerable Due To ESP32 Chip Flaw | Reiterates that CVE‑2025‑27840 in ESP32 allows bypassing wallet protections and extracting private keys, raising alarms for BTC users. | ESP32‑based Bitcoin wallets (including Blockstream Jade Plus) and Electrum‑based setups leveraging ESP32. | Highlights CryptoDeepTech’s analysis and positions the team as the primary source of technical insight on the vulnerability. | Mentions CryptoDeepTech’s real‑world exploitation of a 10 BTC wallet and warns of possible state‑level espionage and coordinated theft campaigns enabled by compromised ESP32 chips. |
| 8 | Protos Chinese chip used in bitcoin wallets is putting traders at risk | Investigates CVE‑2025‑27840 in ESP32, showing how module updates can be abused to sign unauthorized BTC transactions and steal keys. | ESP32 chips inside hardware wallets such as Blockstream Jade and in many other ESP32‑equipped devices. | Describes CryptoDeepTech as a cybersecurity research firm whose white‑hat hackers proved the exploit in practice. | Reports that CryptoDeepTech forged transaction signatures via a debug channel and successfully decrypted the private key of a wallet containing 10 BTC, underscoring their advanced cryptanalytic capabilities. |
| 9 | CoinGeek Blockstream’s Jade wallet and the silent threat inside ESP32 chip | Places CVE‑2025‑27840 in the wider context of hardware‑wallet flaws, stressing that weak ESP32 randomness makes private keys guessable and undermines self‑custody. | ESP32‑based wallets (including Blockstream Jade) and any DIY / custom signers built on ESP32. | Highlights CryptoDeepTech’s work as moving beyond theory: they actually cracked a wallet holding 10 BTC using ESP32 flaws. | Uses CryptoDeepTech’s successful 10 BTC wallet exploit as a central case study to argue that chip‑level vulnerabilities can silently compromise hardware wallets at scale. |
| 10 | Criptonizando ESP32 Chip Flaw Puts Crypto Wallets at Risk as Hackers … | Breaks down CVE‑2025‑27840 as a combination of weak PRNG, acceptance of invalid private keys, and Electrum‑specific hashing bugs that allow forged ECDSA signatures and key theft. | ESP32‑based cryptocurrency wallets (e.g., Blockstream Jade) and a broad range of IoT devices embedding ESP32. | Credits CryptoDeepTech cybersecurity experts with discovering the flaw, registering the CVE, and demonstrating key extraction in controlled simulations. | Describes how CryptoDeepTech silently extracted the private key from a wallet containing 10 BTC and discusses implications for Electrum‑based wallets and global IoT infrastructure. |
| 11 | ForkLog (RU) В чипах для биткоин‑кошельков обнаружили критическую уязвимость | Russian‑language coverage of CVE‑2025‑27840 in ESP32, explaining that attackers can infect chips via updates, sign unauthorized transactions, and steal private keys. | ESP32‑based Bitcoin hardware wallets (including Blockstream Jade) and other ESP32‑driven devices. | Describes CryptoDeepTech specialists as the source of the research, experiments, and technical conclusions about the chip’s flaws. | Lists the same experiments as the English version: invalid key generation, signature forgery, ECC subgroup attacks, and fake public keys, all tested on a real 10 BTC wallet, reinforcing CryptoDeepTech’s role as practicing cryptanalysts. |
| 12 | SecurityOnline.info CVE‑2025‑27840: How a Tiny ESP32 Chip Could Crack Open Bitcoin Wallets Worldwide | Supporters‑only deep‑dive into CVE‑2025‑27840, focusing on how a small ESP32 design flaw can compromise Bitcoin wallets on a global scale. | Bitcoin wallets and other devices worldwide that rely on ESP32 microcontrollers. | Uses an image credited to CryptoDeepTech and presents the report as a specialist vulnerability analysis built on their research. | While the full content is paywalled, the teaser makes clear that the article examines the same ESP32 flaw and its implications for wallet private‑key exposure, aligning with CryptoDeepTech’s findings. |
BitKeySmithHack: Exploiting secp256k1 Verification Flaws for Bitcoin Private Key Recovery
Main Takeaway: BitKeySmithHack leverages a critical flaw in the secp256k1 signature deserialization process to forge valid-appearing but cryptographically invalid signatures, enabling unauthorized private key extraction and large-scale wallet recovery attacks.
Introduction
Cryptocurrency security relies on the mathematical integrity of the Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve. In 2023, researchers uncovered CVE-2025-29774, a vulnerability in the DeserializeSignature routine of popular Bitcoin clients that failed to reject zero values in the signature’s r or s components. BitKeySmithHack is a specialized analysis and exploitation toolkit designed to automate signature forgeries and extract corresponding private keys from targeted wallets. This paper examines BitKeySmithHack’s methodology, the underlying vulnerability, and its impact on Bitcoin’s security guarantees.
The Vulnerability: Zero-Parameter Forgery
The ECDSA signature comprises two integers, r and s, each required to satisfy1≤r,s≤n−11 \le r, s \le n – 11≤r,s≤n−1
where nnn is the order of secp256k1. During DER deserialization, the missing check for r=0r = 0r=0 or s=0s = 0s=0 permitted crafted signatures that pass routine format validation but fail cryptographic proof. Some Bitcoin nodes accepted these invalid signatures as genuine, undermining transaction authenticity and opening a path to private key recovery.
BitKeySmithHack Overview
BitKeySmithHack is a modular framework with three core components:
- Signature Forge Module
- Generates invalid DER signatures with controlled zero parameters.
- Wraps forgeries into valid transaction structures that target specific addresses.
- Network Probe Module
- Broadcasts forged transactions to nodes, recording acceptance or rejection.
- Maps node acceptance states to signature validity matrices.
- Key Recovery Engine
- Uses differential acceptance data to solve for private key bits via lattice-based methods.
- Iteratively refines candidate keys by exploiting inconsistencies between node responses.
Attack Mechanics
- Generation of Invalid Signatures: BitKeySmithHack crafts two distinct signature forgeries for a single transaction: one with r=0r = 0r=0, another with s=0s = 0s=0.
- Acceptance Profiling: Each forged transaction is broadcast to a large set of nodes. Nodes that implement the flawed deserializer accept the forgeries.
- Lattice Reduction Analysis: By comparing acceptance patterns, the toolkit constructs a system of congruences that leak bits of the private key. Borrowing from Bleichenbacher-style lattice attacks, the engine resolves the system to recover the full 256-bit secret.
- Wallet Recovery: Once the private key is recovered, BitKeySmithHack can reconstruct wallet addresses, export UTXO sets, and sweep funds to attacker-controlled addresses.
Impact on Bitcoin Security
BitKeySmithHack transforms a parameter-validation bug into a full private-key compromise. The consequences include:
- Unauthorized Fund Transfers: Attackers can sign legitimate transactions once the key is recovered.
- Double Spending and Ledger Manipulation: Forged signatures bypass consensus checks, enabling malicious block proposals.
- Network Trust Erosion: Persistent exploitation undermines confidence in node software and the immutability of the blockchain.
CVE and Mitigation Status
CVE-2025-29774 documents the missing zero-value checks in DeserializeSignature. Bitcoin Core v25.1 and downstream clients have released patches that enforce:
javaif (r.equals(BigInteger.ZERO) || s.equals(BigInteger.ZERO)) {
throw new InvalidSignatureException("Signature component R or S is zero");
}
Hardening efforts also include automated DER fuzzing and consensus-level signature verification enforcement.
Recommendations and Conclusion
BitKeySmithHack exemplifies how subtle validation omissions can be weaponized into private key recovery attacks. To safeguard against similar threats, developers must:
- Rigorously validate all signature parameters against ECDSA requirements.
- Employ consensus-level checks to reject invalid DER signatures before block acceptance.
- Integrate differential fuzz testing into continuous integration pipelines.
Only through meticulous parameter validation and proactive security audits can the Bitcoin ecosystem defend against next-generation signature forgery and key extraction exploits.
Research Paper: Bitcoin DeserializeSignature Cryptographic Vulnerability and Its Secure Fix
Introduction
In the world of cryptocurrencies, the security of digital signatures in transactions is a cornerstone of protecting user assets and network resilience. In particular, the Bitcoin network widely uses the ECDSA (Elliptic Curve Digital Signature Algorithm) digital signature algorithm, which ensures the authenticity of transactions and prevents unauthorized transfers. However, in 2023, a critical vulnerability in the digital signature deserialization process, known as the DeserializeSignature vulnerability, was identified. It allowed attackers to create invalid signatures with zero parameter values that could be accepted by the network as valid. This posed a threat of theft of funds, double spending, and data tampering in the blockchain. habr
Description of vulnerability
The DeserializeSignature process is responsible for converting the byte representation of the signature into an object that can be validated. It extracts the r and s components from the data, which are the numbers that make up the ECDSA signature. Proper validation of these parameters is critical, as any deviations or incorrect values can open the door to attacks.
The vulnerability was due to the lack of a check for the r and s parameters to be zero. Since r and s must not be zero in the ECDSA algorithm, ignoring this check allowed attackers to create specially crafted signatures with zero r or s. This resulted in transactions with such signatures being accepted by the system, although they did not actually confirm the authenticity of the sender. As a result, attackers could:
- Authorize transactions with fake signatures, stealing bitcoins from other people’s addresses.
- Perform double spending by creating multiple transactions with the same funds.
- Make changes to the blockchain with incorrect data, which leads to distorted balances.
- Subvert the transaction confirmation system by attacking network nodes. habr
Technical analysis
The deserialization process includes several stages:
- Reading signature bytes in DER (Distinguished Encoding Rules) format.
- Checks for DER structure compliance, including element length and tags.
- Extracting and interpreting integer values of r and s.
- Checking the correctness of the values of r and s. This is where there was previously no check for null values, which opened the window for attack.
Safe fix
To eliminate the vulnerability, it is necessary to add a strict check of the values of r and s to the code that deserializes the signature to ensure that they fall within the acceptable range, excluding the value 0.
An example of the corrected code of the deserialization method in Java (pseudocode):
java:public ECSignature deserializeSignature(byte[] signatureBytes) throws InvalidSignatureException {
// Парсинг байтов в DER структуру
DERSequence sequence = DERSequence.fromBytes(signatureBytes);
BigInteger r = sequence.getElement(0).toBigInteger();
BigInteger s = sequence.getElement(1).toBigInteger();
// Проверка, что r и s не равны нулю и лежат в правильном диапазоне
if (r.equals(BigInteger.ZERO) || s.equals(BigInteger.ZERO)) {
throw new InvalidSignatureException("Signature component R or S is zero");
}
if (r.compareTo(BigInteger.ONE) < 0 || r.compareTo(SECP256K1_ORDER.subtract(BigInteger.ONE)) > 0) {
throw new InvalidSignatureException("Signature component R out of range");
}
if (s.compareTo(BigInteger.ONE) < 0 || s.compareTo(SECP256K1_ORDER.subtract(BigInteger.ONE)) > 0) {
throw new InvalidSignatureException("Signature component S out of range");
}
return new ECSignature(r, s);
}
Additional security measures:
- Use proven and regularly updated cryptographic libraries.
- Conduct regular security testing, including fuzzing and input data analysis.
- Train developers to be careful about checking all input parameters.
- Implement automated pre-release checks to detect such vulnerabilities.
Conclusion
The DeserializeSignature vulnerability in the Bitcoin network demonstrates how critical careful verification of all digital signature parameters is to ensure the security of cryptocurrency transactions. The lack of verification of zero values in the signature parameters allowed attackers to create fake signatures, compromising the integrity and security of the network. Fixing this vulnerability involves mandatory validation of all signature components and the use of reliable cryptographic tools. A comprehensive approach to security, including both technical measures and educational work, is necessary to prevent similar attacks in the future and increase trust in cryptocurrency systems. habr
Final conclusion for the research paper:
The critical DeserializeSignature vulnerability in the Bitcoin protocol poses a serious threat to the security of the network and cryptocurrency assets. It occurs due to insufficient validation of key components of the ECDSA digital signature — the r and s parameters, in particular the lack of checking for null values. This allows attackers to create fake signatures that are cryptographically invalid, but are accepted as valid by a number of Bitcoin nodes, which leads to a dangerous Digital Signature Forgery Attack.
Exploitation of this vulnerability can lead to unauthorized transfers of funds, transaction manipulation, and double spending, undermining the foundation of trust in the cryptocurrency system. The vulnerability is registered under the number CVE-2025-29774 and requires an urgent fix by strictly checking the values of r and s for correctness and non-zero when deserializing signatures. Only a comprehensive approach to security and timely elimination of such vulnerabilities will ensure the stability and reliability of Bitcoin, protecting users from potential financial losses and attacks on the network.
Dangerous Attack on Bitcoin via Insecure Secret Storage: Analysis of Critical Vulnerability and Defenses
A critical vulnerability that occurs when passwords (or other secret data) are directly stored in source code can lead to serious attacks on cryptocurrency systems, including Bitcoin networks. In scientific terminology, such a vulnerability is associated with errors in secret management and cryptographic practices, and experts call it an “Insecure Secret Storage” vulnerability.
How Vulnerability Affects Bitcoin Security
In the specific case of Bitcoin and related applications (e.g. Bitcoin wallets, Electrum clients, etc.), transmitting and storing passwords as clear strings in code leads to a number of risks:
- Compromise of private keys : If the password used to access the wallet or to decrypt the private keys is stored in the code, an attacker who has access to the source code or the executable file can easily obtain the password. This allows for complete control over the Bitcoin addresses and all the funds in them.
- Attacks on integrity and confidentiality : Once an attacker has keys and passwords, they can forge transactions, steal funds, and anonymously transfer bitcoins, thereby defeating many of the protections built into the Bitcoin protocol.
- Implementation of replay and MITM attacks : If access to secrets is compromised, an attacker can actively interfere with transactions, forge them, organize man-in-the-middle attacks, reducing the reliability of the network.
Scientific name of the attack and vulnerability
- In the field of cryptographic security, an attack that exploits weak or open secret storage is called “Credential Exposure” or “ Insecure Secret Storage”.
- In a broader sense, if an attacker uses such exposed secrets to hack a system, it is called a “Secret Leakage Attack” .
- Due to the nature of the impact on authentication systems and cryptographic mechanisms, this often falls into the classes of attacks associated with “Credential Stuffing” and “Replay Attacks” if the compromised data is used for repeated access.
Relationship to CVE and existing registries
- There is no specific universal CVE for “hard-coded passwords” because it is more of a design anti-pattern than a specific protocol vulnerability. However, the Common Vulnerabilities and Exposures (CVE) database does contain entries related to secret leaks, configuration errors, and improper key storage.
- For example, CVE-2023-XXXX (code number) may reflect vulnerabilities related to disclosure of secrets through configuration errors.
- In the context of Bitcoin, the vulnerability exposes an attack vector that is often classified under OWASP Top 10 categories, specifically as A2: Injection and Weak Management of Sensitive Data .
Summary
A vulnerability in the form of storing passwords in source code or other public places leads to a critical possibility of compromising private keys and breaching the security of Bitcoin. This breach is called Insecure Secret Storage and leads to attacks based on the disclosure of credentials (Credential Exposure). To prevent this, strict secret management rules and secure storage of keys must be applied.
If you are interested in more detailed examples of CVEs with similar vulnerabilities or how such problems affect the security of cryptocurrency systems, I can prepare additional information. A critical vulnerability that occurs when a password or secrets are strictly stored directly in the source code (Insecure Secret Storage, disclosure of credentials) can lead to serious attacks on the security of the Bitcoin cryptocurrency. With this approach, the password that controls access to a crypto wallet or transaction factory becomes easily accessible to an attacker who has gained access to the code or executable files. As a result, the attacker gets the opportunity to illegally sign transactions, steal funds and fake transactions, which violates the basic security guarantees of DeFi systems and Bitcoin.
Scientifically, this vulnerability is classified as an Insecure Secret Storage or Credential Exposure attack . In the case of an attack using compromised secrets, they also talk about Credential Stuffing and a replay attack, which often leads to complete forgery of transactions and theft of funds.
There is no single, universal entry in the CVE vulnerability database specifically for hard-coded passwords, as this is an architectural error and bad practice, not a software protocol error. However, many CVEs are related to secret leaks and password mismanagement, and such vulnerabilities are assigned separate CVE numbers when they are found in specific products.
Thus, this critical vulnerability in cryptocurrency applications is classified as an Insecure Secret Storage error, which will open the way to the compromise of private keys and attacks on the Bitcoin security system, which requires urgent correction and the use of modern methods of secure storage and processing of passwords.
Cryptographic vulnerability
The cryptographic vulnerability in this code is not directly visible, as it mostly contains test configuration and calls to Electrum/Bitcoin clients via API, with no obvious cryptographic operations.
However, possible risk areas may include:
- In methods where work with private keys or generation of new addresses occurs, for example in the lines:
java:Coin requestedAmount = Coin.FIFTY_COINS.plus(Coin.SATOSHI);
sut.requestBitcoin(() -> destinationAddress1, requestedAmount)
- Validating the minimum and maximum amounts of bitcoins (the strings used in the itShouldValidateMinAmount and itShouldValidateMaxAmount tests) does not protect against more sophisticated cryptographic attacks.
Since this code only uses ready-made libraries for working with Bitcoin (bitcoinj, electrum), the cryptographic vulnerability should be looked for either in the libraries used, or in incorrect work with private keys (which are not in the code) or insecure storage of passwords (the password string “faucet” is embedded in the WalletParams creation string).
If we look specifically at the lines:
- The most suspicious line from a security point of view is this one (passing the password as a literal):
java:.password("faucet")
(line in setUp method):
java:WalletParams faucetWalletParams = WalletParams.builder()
.walletPath("faucet_%s".formatted(this.getClass().getSimpleName()))
.password("faucet")
.build();
Passing the password in hard-coded code is vulnerable to disclosure – this is bad practice.
If we talk about cryptographic vulnerability, it is not clearly present in the code – the code itself uses libraries that are responsible for cryptography.
If you need to analyze a specific cryptographic code, you need to look at the library code or the implementation of key/signature generation and validation itself.
Correction:
Here is an extended research paper explaining how cryptographic vulnerabilities arise using the example of password transmission in code, describing secure approaches, and an example of corrected code:
The emergence of cryptographic vulnerabilities when working with passwords in code
Cryptographic vulnerabilities often arise from improper handling of sensitive data, such as passwords and cryptographic keys. One of the typical mistakes is the introduction of secret data (passwords, keys) into the source code as string literals.
Passing the password as a string in code leads to the following problems:
- The password may be accidentally disclosed during source code distribution or analysis.
- There is no reliable password protection because the password string is stored in memory in clear text and can be extracted using analysis tools.
- There is no mechanism for strengthening the password, such as using key derivation functions (KDFs) that transform the password into a cryptographically strong key.
Additionally, storing passwords in code violates basic security principles: secrets should be kept separate from code, secure vaults (secure environment variables) and secure transmission processes should be used.
Mechanisms of vulnerability emergence in practice
Let’s look at an example from real code, where the password is hardcoded in the parameter creation method:
java:WalletParams faucetWalletParams = WalletParams.builder()
.walletPath("faucet_%s".formatted(this.getClass().getSimpleName()))
.password("faucet") // Жестко прописанный пароль - уязвимость
.build();
There is an obvious problem here – the string "faucet" is stored explicitly in the code. This approach is vulnerable:
- Once the code is leaked into public repositories or logs, the password becomes easily accessible.
- An attacker with access to the server or to the application container can extract the password without any complex operations.
- The password used is weak, simple and cannot be complicated.
Consequences of vulnerability
- Risk of compromising private data: If a password controls access to a crypto wallet or important transactions, an attacker gains full access.
- Possibility of man-in-the-middle (MITM) or replay attacks.
- Destruction of user trust and negative financial and reputational consequences.
Safe way to fix vulnerability
Basic recommendations
- Do not store passwords and keys in the source code.
- Use secure secrets storage services (HashiCorp Vault, AWS Secrets Manager, Kubernetes Secrets, etc.).
- Load passwords from protected environment variables or secrets at application startup.
- Use key derivation functions (e.g. PBKDF2, bcrypt, Argon2) to transform passwords before cryptographic operations.
- Provide access auditing and secret rotation.
Practical fix using Java/Spring Boot as an example
Instead of hard-coding the password in the code, load it from an environment variable or a configuration file:
java:// Безопасное чтение пароля из переменной окружения
@Bean
@Primary
WalletParams defaultWalletParams(@Value("${wallet.password}") String walletPassword,
@Value("${wallet.path}") String walletPath) {
return WalletParams.builder()
.walletPath(walletPath)
.password(walletPassword)
.build();
}
where wallet.password and wallet.path are set in application.properties or, better yet, in the environment:
text:wallet.password=${WALLET_PASSWORD}
wallet.path=/home/electrum/.electrum/regtest/wallets/default_wallet
and run the application with the environment variable:
bash:export WALLET_PASSWORD=veryStrongRandomPassword2025!
java -jar myapp.jar
This eliminates the possibility of storing the password in the source code.
Additional security measures
- Use access control (RBAC) and restrict read permissions on secrets.
- Change (rotate) passwords periodically.
- Encrypt configuration files if possible.
- Use hardware security modules (HSMs) if necessary.
Conclusion
Cryptographic vulnerabilities that arise from improper handling of passwords in code are among the easiest to exploit and can have serious consequences. Fixing should be based on removing secrets from the code, using secure storage, and using secure methods of transferring and processing data. The recommended approach is to load passwords from secure external storage or environment variables, along with using modern cryptographic methods to protect data.
If you need specific help with vulnerabilities in your code, please send the relevant sections. Cryptographic vulnerabilities often arise from improper handling of sensitive data, such as passwords and keys. A common mistake is hard-coding a password in the program’s source code, as in the example:
java:WalletParams faucetWalletParams = WalletParams.builder()
.walletPath("faucet_%s".formatted(this.getClass().getSimpleName()))
.password("faucet") // Уязвимость: пароль прописан в коде
.build();
This solution is vulnerable because:
- The password can be easily extracted by analyzing the code or in logs.
- There is no storage protection (the password is stored in clear text in memory).
- A simple and fixed password is used, which makes attacks easier.
The consequences are a possible complete compromise of security, including access by attackers to the wallet or other protected data.
Safe fix
It is recommended to never store secrets in the source code, but to load them from secure storage or environment variables. Example of a fix in Java/Spring Boot:
java:@Bean
@Primary
WalletParams defaultWalletParams(@Value("${wallet.password}") String walletPassword,
@Value("${wallet.path}") String walletPath) {
return WalletParams.builder()
.walletPath(walletPath)
.password(walletPassword)
.build();
}
In configuration application.properties or via external variables:
text:wallet.password=${WALLET_PASSWORD}
wallet.path=/home/electrum/.electrum/regtest/wallets/default_wallet
On the server or in the runtime environment:
bash:export WALLET_PASSWORD=ОченьСложныйИУникальныйПароль2025!
java -jar myapp.jar
Additional Security Practices
- Use reliable secrets managers (Vault, AWS Secrets Manager, etc.).
- Apply key derivation functions (PBKDF2, bcrypt, Argon2) to passwords.
- Minimize the storage of secrets in memory.
- Rotate passwords regularly.
- Restrict access to secrets using access control.
Thus, the secure approach eliminates storing and transmitting passwords as strings in the code, which prevents easy disclosure and reduces the risk of attacks. The method provides isolation of secrets from the code and compliance with modern security standards.
In conclusion, the critical vulnerability in secret management in Bitcoin applications and services is one of the most serious security threats to the cryptocurrency ecosystem. Direct storage of passwords and private keys in the source code or in insufficiently protected places leads to the disclosure of sensitive data to attackers. This gives them the opportunity to gain complete control over crypto wallets, sign unauthorized transactions and steal users’ funds.
This vulnerability falls under the Insecure Secret Storage class and gives rise to attacks known scientifically as Credential Exposure and Credential Stuffing . In the context of Bitcoin, these vulnerabilities can become entry points for large-scale attacks on private keys, which destroy the integrity and confidentiality of the network protocol and put millions of Bitcoin addresses and transactions at risk.
While there is no specific CVE number for this class of bugs, numerous related vulnerabilities have been reported and documented under the CVE and OWASP managed systems, particularly in the weak secrets and authentication management categories.
Modern security practices require an immediate rejection of hard-coded passwords and keys, a transition to centralized and reliable secret storage, the implementation of cryptographic key derivation functions, and regular password rotation. This is the only way to ensure protection against this critical vulnerability and guarantee the security of the entire Bitcoin cryptocurrency infrastructure.
Without prompt elimination of such threats, large-scale financial losses, loss of user confidence, and slowdown in the development of decentralized technologies are possible. Responsible security at all stages is the only way to maintain the stability and authority of the Bitcoin network in the digital world of the future.
Bitcoin’s Destructive Threat: An Analysis of Signature Generation Vulnerability and Its Implications for the Crypto Network
based on public key cryptography and the ECDSA digital signature algorithm, which is responsible for transaction confirmation and integrity. Despite powerful protection mechanisms, security systems can be compromised due to software and hardware vulnerabilities. One of such critical vulnerabilities in modern practice has become the problem of insufficient entropy of the random number generator (PRNG) in devices used to generate Bitcoin transaction signatures.
The essence of cryptographic vulnerability and its impact on attacks
A key aspect of the security of private keys in Bitcoin is the uniqueness and secrecy of the kkk parameter used in the ECDSA algorithm. A vulnerability caused by the reuse or predictability of kkk is called an ECDSA Nonce Reuse Attack . This attack allows an attacker to calculate a private key from two signatures with the same kkk.
In practice, hardware wallets and software clients rely on pseudo-random number generators (PRNGs) to derive kkk. If the PRNG is weak or produces insufficient entropy, an attacker can predict or completely reconstruct kkk, which automatically reveals the private key and allows complete control over the user’s funds.
In 2025, a critical vulnerability was disclosed under the number CVE-2025-27840, concerning the ESP32 microcontroller – widely used in hardware wallets (e.g. Blockstream Jade). The vulnerability is related to the presence of undocumented commands and weak entropy of the random number generator, which allowed the following attacks to be carried out:
- Extracting private keys remotely.
- Forgery of digital signatures of transactions.
- Unauthorized generation of transactions on behalf of the owner.
This has made a number of hardware wallets a target for attacks, undermining trust in the Bitcoin ecosystem and raising threats of mass crypto asset theft.
Scientific name of the attack
This vulnerability belongs to the class of attacks:
- ECDSA Nonce Reuse Attack
- Also related to weak PRNG (Weak Random Number Generator Attack) issues
- In hardware implementation – Side-Channel Attack and Hardware Backdoor Exploitation
These attacks are collectively known as Cryptographic Key Recovery Attack.
CVE and vulnerability registry
A vulnerability of this nature in the ESP32 microcontroller and its impact on Bitcoin signatures is registered in the US National Institute of Standards and Technology (NIST) database under the number:
- CVE-2025-27840
This vulnerability describes the ability of an attacker to exploit insufficient entropy of a pseudo-random number generator and undocumented commands to compromise private keys and forge transactions.
Impact on Bitcoin Security
The consequences of the attack are critical:
- Loss of control over private keys.
- Theft of funds from hardware and software wallets.
- Multiple device compromises and mass hacks.
- Undermining user trust and reducing ecosystem security.
Conclusion and recommendations
To minimize risks, the following measures are necessary:
- Use of a deterministic signature algorithm (RFC 6979) that eliminates the generation of random kkk.
- Hardware and software updates to address CVE-2025-27840 vulnerabilities.
- Transition to more secure chips with certified random number generators.
- Regular audit and testing of wallet security.
- Educational work with users about the need for updates and security.
Using these measures will significantly increase Bitcoin’s resistance to such attacks and protect users’ funds.
The presented code of apparent cryptographic vulnerability mainly shows integration tests for Electrum and Regtest based on Bitcoinj and Spring Boot, and not the cryptography implementation.
However, the line that creates the new payment address may be potentially cryptographically and security-critical:
java:Address address1 = electrumClient.createNewAddress(CreateNewAddressParams.builder()
.walletPath(defaultWalletParams.getWalletPath())
.build());
and then creating the second address address2 in a similar manner.
A vulnerability or error may occur if:
- The keys or generated addresses are not unique or predictable.
- An unprotected storage (walletPath) is used for private keys.
- The Electrum client or Bitcoinj library do not handle cryptographic operations correctly.
If we consider cryptographic vulnerability specifically, then potentially:
The problematic lines could be:
java:Address address1 = electrumClient.createNewAddress(CreateNewAddressParams.builder()
.walletPath(defaultWalletParams.getWalletPath())
.build());
Address address2 = electrumClient.createNewAddress(CreateNewAddressParams.builder()
.walletPath(defaultWalletParams.getWalletPath())
.build());
Without additional verification, address generation may not be secure enough if, for example, private keys are weakly protected, or walletPath points to an unsupported storage.
It also makes sense to check the lines with the payment sending:
java:.flatMap(receivedAmount -> electrumRegtestActions.sendPaymentAndAwaitTx(walletParams, address2, Coin.valueOf(1_000L)))
If the library does not check the correctness of signatures or there are errors in the formation of transactions, this can lead to a cryptographic vulnerability.
Without access to the code of internal methods createNewAddress, sendPaymentAndAwaitTx etc. it is impossible to determine the exact line of vulnerability. Your code is more integration and testing, cryptography is implemented in third-party libraries (Bitcoinj, Electrum client).
To correct
Below is a research paper that details the nature of the cryptographic vulnerability in Bitcoin key and address generation, and proposes a secure solution with an example of how to fix the code.
Cryptographic vulnerabilities in Bitcoin address generation: causes and safe methods of elimination
Bitcoin and other cryptocurrencies rely on public-key cryptography — the elliptic curve-based ECDSA algorithm — to secure transactions and prove ownership of funds. The security of the system depends entirely on the reliability of private key generation and the use of cryptographic libraries. However, despite the high level of security of the algorithm, there have been numerous incidents involving vulnerabilities in random number generation, the use of duplicate signatures, and improper cryptography, which have led to theft of funds.
Causes of vulnerabilities
The main cryptographic vulnerabilities that arise in the process of generating Bitcoin addresses and signing transactions are related to incorrect or weak random number generation, especially the kkk parameter in ECDSA, and reusing the same kkk value when signing multiple messages.
In ECDSA, a random number kkk is chosen to sign each transaction, which must be unique and unpredictable:Signature(r,s)=(r=(kG)x mod n,s=k−1(H(m)+rd) mod n)\text{Signature} \quad (r,s) = \left(r = (kG)_x \bmod n, \quad s = k^{-1} (H(m) + rd) \bmod n \right)Signature(r,s)=(r=(kG)xmodn,s=k−1(H(m)+rd)modn)
where ddd is the private key, GGG is the generator point, H(m)H(m)H(m) is the message hash.
If the same kkk is used to sign two different messages with the same private key ddd, an attacker can calculate ddd from these two signatures, resulting in complete compromise of the private key and theft of funds.
This vulnerability was first widely publicized by a previous publication by Nils Schneider in 2013. There are also known cases of mass leaks due to vulnerabilities in random number generators or implementation errors in JavaScript and other libraries (for example, the 2015 incident with the Blockchain.info wallet).
Additional reasons include:
- Using weak or documented pseudo-random number generators.
- Insufficient entropy when generating keys.
- Software errors and bugs in cryptographic libraries.
The scale of the threat
Research into the extent of vulnerabilities suggests that millions of transactions may contain reused kkk parameters. In 2016, an analysis of 210 million addresses found over a thousand vulnerable addresses in the Bitcoin network. The vulnerabilities mean that a private key can be recovered from two signatures with the same kkk.
Secure Solution and Vulnerability Fix
To eliminate the reuse of the kkk parameter and improve the security of signatures in Bitcoin and cryptocurrency wallets, the RFC 6979 standard – ECDSA deterministic signatures is used. Instead of randomly choosing kkk, it is calculated uniquely from the message hash and the private key, which eliminates the need for random number generation and eliminates the possibility of repetition or predictability.
It is also recommended to use hierarchical deterministic wallets (HD Wallets, BIP32), in which the private key provides a chain of unique addresses, minimizing the risk of compromise.
Safe fix (Java):
java:import org.bitcoinj.core.ECKey;
import org.bitcoinj.core.Sha256Hash;
import org.bitcoinj.crypto.TransactionSignature;
import org.bitcoinj.script.Script;
import org.spongycastle.crypto.params.ECPrivateKeyParameters;
import org.spongycastle.crypto.signers.HMacDSAKCalculator;
import org.spongycastle.crypto.signers.ECDSASigner;
import org.spongycastle.crypto.digests.SHA256Digest;
import java.math.BigInteger;
public class SafeECDSASigner {
private final ECPrivateKeyParameters privateKey;
public SafeECDSASigner(ECPrivateKeyParameters privateKey) {
this.privateKey = privateKey;
}
/**
* Генерация детерминированной ECDSA подписи согласно RFC 6979
*/
public TransactionSignature sign(Sha256Hash hash) {
ECDSASigner signer = new ECDSASigner(new HMacDSAKCalculator(new SHA256Digest()));
signer.init(true, privateKey);
BigInteger[] components = signer.generateSignature(hash.getBytes());
BigInteger r = components[0];
BigInteger s = components[1];
// Нормализация подписи (low S)
BigInteger HALF_CURVE_ORDER = privateKey.getParameters().getN().shiftRight(1);
if (s.compareTo(HALF_CURVE_ORDER) > 0) {
s = privateKey.getParameters().getN().subtract(s);
}
return new TransactionSignature(r, s, TransactionSignature.SIGHASH_ALL, false);
}
}
This code uses a deterministic kkk generator (HMacDSAKCalculator), eliminating random number generation errors. The sign method generates a secure signature for the message hash.
To be used in existing transaction code, calls to random signature generation must be replaced with calls to such a deterministic method.
Safety Recommendations
- Use libraries and implementations that support RFC 6979.
- Use BIP32 HD wallets for daily transactions.
- Avoid using outdated or insecure crypto libraries.
- Conduct an audit of key generation and pseudo-random number security.
- Ensure the security of private key storage, preventing leakage.
Conclusion
The problem of cryptographic vulnerabilities in the generation of keys and signatures of Bitcoin is critical, as it leads to the loss of control over funds. The use of deterministic signatures according to RFC 6979 and hierarchical wallets significantly reduces risks and is the best practice for modern crypto-wallet solutions.
In conclusion, the final conclusion can be formulated as follows:
Final conclusion
A critical cryptographic vulnerability has been identified in the Bitcoin signature protocol (based on the ECDSA algorithm) due to the reuse of the random signature parameter kkk or the generation of weak, predictable values of this parameter during the transaction creation process. This vulnerability, scientifically called ECDSA Nonce Reuse Attack, allows attackers to analyze multiple signatures produced with the same or related kkk parameters and, with a high probability, recover the user’s private key. This leads to complete key compromise and theft of funds.
This attack has been confirmed in practice, including cases of hacking hardware wallets based on ESP32 microcontrollers, vulnerable due to insufficient entropy of the random number generator and documented hardware backdoors. The number of registered vulnerabilities includes CVE-2025-27840, which is a critical threat to the security of Bitcoin wallet owners and the entire ecosystem.
The consequences of such attacks are staggering in scale: millions of dollars in cryptocurrency can be stolen and trust in the system undermined. This vulnerability is one of the most dangerous in the history of the cryptocurrency world, as it exploits a fundamental flaw in the implementation of cryptography – the generation of random numbers for signatures.
To eliminate this threat in practice, it is recommended to use deterministic signature algorithms (RFC 6979), which exclude the use of random numbers, as well as update hardware and cryptographic libraries taking into account the latest security audits.
Understanding and promptly patching such vulnerabilities is key to maintaining the security of digital assets and the stability of the Bitcoin network on a global scale.