In recent years, cryptocurrencies such as Bitcoin have become increasingly popular, leading to increased attention to the security of cryptocurrency wallets. One significant issue in this area is the Randstorm vulnerability, which affects wallets created between 2011 and 2015. The vulnerability is due to bugs in the BitcoinJS library and weaknesses in random number generation in browsers at the time. Additionally, the verification feature is_private_key_validcan exacerbate the problem by legitimizing mathematically incorrect private keys. In this article, we will look at the details of the Randstorm vulnerability and the impact of the feature is_private_key_validon the security of cryptocurrency wallets.

Randstorm vulnerability

The Randstorm vulnerability is a set of bugs and design flaws in the BitcoinJS library, which was widely used to create online wallets in the early 2010s. The core issue is the improper generation of random numbers, which results in the predictability of cryptographic keys. This allows unauthorized access to wallets, as attackers can recover passwords and gain control of funds.[1][2][3]

Reasons for vulnerability

1. Insufficient randomness : The BitcoinJS library used a function SecureRandom()from the JSBN library that did not provide sufficient randomness for cryptographic keys. This was exacerbated by bugs in the implementation of the function Math.random()in browsers at the time.[3][4]
2. Use of outdated libraries : Some services continued to use outdated versions of the BitcoinJS library even after bugs were fixed in 2014[3].

Consequences of vulnerability

It is estimated that around 1.4 million Bitcoins are in wallets created using the vulnerable library, which is equivalent to between $1.2 billion and $2.1 billion at current market prices.[1][2] The Randstorm vulnerability not only affects Bitcoin, but also other cryptocurrencies such as Litecoin, Zcash, and Dogecoin if they used similar libraries.[3]

Checks functionis_private_key_valid

The function is_private_key_validis designed to check the validity of private keys in cryptocurrency wallets. However, if this function is not implemented correctly or does not take into account the mathematical correctness of the keys, it can legitimize incorrect keys, which exacerbates the security problem.

Impact on safety

1. Legitimizing Incorrect Keys : If a function is_private_key_validdoes not check keys for mathematical correctness, it can validate keys generated using a vulnerable library, making them vulnerable to cracking.
2. Increased risk of theft : Legitimizing invalid keys increases the risk of unauthorized access to funds, as attackers can use weak keys to regain access to wallets.

Conclusion

The Randstorm vulnerability and incorrect implementation of the function is_private_key_validpose significant security risks to cryptocurrency wallets created between 2011 and 2015. Owners of such wallets are advised to immediately transfer funds to new, more secure wallets to avoid possible theft. In addition, developers need to pay special attention to the quality of random number generation and the correct implementation of key verification functions to ensure user safety.

Recommendations

• Transfer funds : Move funds from vulnerable wallets to new ones created using modern and secure technologies.
• Key Validation : Ensure that key validation functions are implemented correctly and take into account the mathematical correctness of keys.
• Updating libraries : Regularly update the libraries and frameworks you use to avoid using outdated and vulnerable versions.

Citations:
[1] https://torforex.com/stati/bitkojn-koshelki-mogut-obnulitsya/
[2] https://www.securitylab.ru/news/543834.php
[3] https://www.kaspersky.ru/blog/vulnerability-in-hot-cryptowallets-from-2011-2015/36592/
[4] https://xakep.ru/2023/11/22/randstorm/
[5] https://bluescreen.kz/niesiekrietnyi-kliuch-issliedovatieli-obnaruzhili-uiazvimosti-v-kriptokoshielkakh/