Open-Source Tool Identifies Weak Bitcoin Wallet Signatures

The developer behind a Heartbleed vulnerability checker has developed a new tool that tracks down poorly secured bitcoin transactions.

AccessTimeIconOct 16, 2014 at 3:11 p.m. UTC
Updated Mar 2, 2023 at 10:28 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

UPDATE (17th October 15:00 BST): A previous version of this article stated that Valsorda "pinned the blame for the vulnerability on developers", however he has since denied this.


  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • The developer behind a program that checks for the Heartbleed vulnerability, Filippo Valsorda, has created a new tool that he says tracks down poorly secured bitcoin transactions.

    Insecure transactions can leak private keys, increasing the risk that a users' bitcoin could be stolen, and Valsorda's Blockchainr tool is designed to weed them out.

    According to research by Valsorda, known flaws found in some implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA), which provides cryptographic protection for bitcoin transactions, render certain wallets and transactions vulnerable to attack.

    While the risk to funds held in wallets is very low, Valsorda claims that certain well-known bitcoin clients may be weaker than others due to the way random numbers are generated.

    "I applied a known attack to the real world and showed how you could use ECDSA in a safe way that doesn't need random numbers so that it would not fail scanning the block chain," Valsorda told Vulture South at The Register.

    His research findings were presented at the Hack In The Box 2014 event in Malaysia yesterday.

    Transaction weak spot

    Valsorda argues that, if poorly implemented, the ECDSA can result in weak signatures lacking randomness. If an attacker can find such transactions in the block chain, the weakness can be exploited to reveal the private keys involved in the transaction.

    valsorda-signature formula
    valsorda-signature formula

    A poor random number generator (RNG) can create the same 'random' number ('k' in the formula above) on more than one occasion. When the transaction is hashed, this number is multiplied by the same generator point (ie: same random number) as the public key.

    Since one unknown has been removed from the equation, the private key can be revealed by effectively reversing the hash through additional mathematical operations.

    The chance of even a bad RNG producing an identical number twice is very low, but it still poses a small risk.

    While researching the vulnerability, Valsorda believes, he found evidence of bitcoin thefts exploiting the vulnerability dating back to 2013.

    According to The Register, Valsorda said he identified one attacker who stole 59 BTC in August 2013.

    He added:

    "I found two really big events where someone probably made an error while writing their client that generated hundreds and hundreds of vulnerable transactions."

    Wallets examined

    Valsorda has designed his Blockchainr tool to scan the block chain for vulnerable transactions.

    While some might fear such information could be misused, Valsorda did not manage to find any wallets that could be raided. However, he said, this may be because they have been raided already.

    In addition to testing old transactions, Valsorda also examined the ECDSA implementation in a number of popular wallets.

    He claims that some providers like Electrun, MultiBit/Bitcoinj, Bitrated/Bitcoinjs-lib and Trezor used a safer, deterministic model of signature generation. Bitcoin Core, Blockchain and Armory were found to be less safe.

    The use of an RNG within the browser was, in some cases, linked to reduced transaction safety. The chance of duplicate signature generation even on those wallets deemed less safe is still less than 1%, said Valsorda.

    Conclusion criticised

    Not everyone agrees with the conclusions, however. Armory's CEO and founder Alan C Reiner told CoinDesk:

    "Valsorda is criticizing the globally standardized use of ECDSA, which is implemented and applied properly in our software. Since ECDSA was created, it has always required a random number generator and all software that implements it should use a random number generator. That's part of its specification."

    "The fact that people are moving to 'deterministic signing' is really an enhancement, to protect against weak random number generators," he said. "But Armory doesn't run on any platforms with weak RNGs, so our 'unsafe' rating should be 0%."

    Reiner further said that Armory follows the NIST-approved specification for ECDSA, which has been in place for 10 years, "the same way it is used in other secure systems throughout the Internet".

    Old browser issue

    CoinDesk also spoke to Blockchain about Valsorda's claims. A spokesperson said:

    "This issue first came to our engineering team’s attention in August 2013. We took steps then to patch the vulnerability created by a small minority of users relying on old out-of-date web browser versions.

    Blockchain's My-Wallet tool relies on, not one, but three sources of entropy to generate ECDSA signing keys: the browser-based RNG, mouse movement & keyboard interaction, and a server-side RNG. This protects users from out-of-date browsers with weak RNGs while maintaining the ability run a fully client-side, non-custodial wallet that is easy to use across your desktop and mobile devices."

    Blockchain, the firm said, remains vigilant about potential security issues and continues to actively monitor potential threat vectors generated by common software such as web browsers.

    Blockchain encouraged all users to make sure they are running the most up to date software to ensure better security.

    Valsorda has made his code freely available to other developers by posting it on GitHub and has called on fellow developers to address the issue, taking care in their choice of random number generators.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.