A crypto recovery company, Unciphered, has discovered a significant vulnerability in BitcoinJS library.
As reported by The Washington Post, the vulnerability called Randstorm was prevalent among crypto wallets generated between 2011 and 2016. While no specific details on the bug have been released, the report says the BitcoinJS library was not generating private keys for crypto wallets properly. The random number generator was insufficient, leaving nearly $1 billion worth of crypto exposed for a hack.
“BitcoinJS is terribly broken up till March 2014. Anyone directly using it is on the very high end of risk to attack.”Unciphered Co-Founder Eric Michaud
BitcoinJS developer Stefan Thomas confirmed the vulnerability in a commentary to The Post. He had developed the software as a hobby, taking the major part of the code from a source code published on Stanford University’s website.
“Instead, I was obsessed about making sure that I did not make any mistakes in my own code. I’m sorry to anyone affected by this bug.”BitcoinJS developer Stefan Thomas
According to The Post, the BitcoinJS library was used by many crypto websites such as Blockchain.com (formerly Blockchain.info), Dogechain.info, Block.io, and others. However, Blockchain.com is said to have fixed the issue, adding more randomness to the random number generator.
The BitcoinJS vulnerability appears to be not entirely new. In 2018, David Gerard, a Unix system expert based in the U.K., previously revealed that he had discovered discussion threads on the Bitcointalk forum as early as 2013 on this particular issue. Back then, some web-based Bitcoin wallets used the SecureRandom() function to generate private keys.