According to a report published by Harry Denley, a security researcher for wallet provider MyCrypto, there has been a mismatch in the security keys used by paper wallet creator WalletGenerator. The post revealed that WalletGenerator had been deploying faulty codes as far back as August 2018, before patching the bug on May 23, 2019.
Deterministically-generated keys
The report clarified that ideally, the site should have an open-source code that is available on GitHub, and the keys generated on the website’s live version should be generated randomly.
However, after testing the live code, certain discrepancies were noticed between the public and private keys- most significantly, the fact that the platform was handing out identical private keys to multiple users.
Denley and his team of researchers went on to test the website using the “Bulk Wallet” generator, and they discovered that after 1,000 key-generation efforts, the GitHub version of the site returned 1,000 unique keys. However, the keys returned by the live code were just 120. These results were sustained, even after the team changed their VPNs and browsers used to run the test.
Move your funds now
The researchers decided to contact WalletGenerator about the potential vulnerability, and while the latter didn’t seem interested in their claims, Denley noted that the problem seemed to have been patched.
Denley went on to recommend that all WalletGenerator users who created their wallets after August 17, 2018, should move their funds to other platforms for the security of their funds, adding that while it seemed that the issue had been rectified, there’s always a possibility of it being re-introduced. At press time, WalletGenerator is yet to issue a statement on the issue.
While a report such as this could serve as an indictment of paper wallets, it’s worth noting that hardware wallets- their chief alternatives- aren’t so secure as well.
Ledger exposes Trezor
Earlier this year, hardware wallet provider Ledger published a report where it detailed vulnerabilities in the devices manufactured by Trezor, one of its chief competitors. According to the study, the vulnerabilities were discovered by Attack Lab, a department at the firm which launches attacks on devices owned by the company and its competitors to identify weaknesses.
Ledger revealed issues with the Trezor One and Trezor T wallets, such as the presence of a backdoor protocol, which would allow would-be imitators to make fake, malware-infested devices. Other vulnerabilities include the possibility of stealing confidential information right from Trezor’s devices, as well as sub-standard counter-attack measures contained in the crypto library of the Trezor One device.
In a rebuttal statement, Trezor pointed out that none of the weaknesses discovered by Ledger were critical to the hardware wallets themselves. According to the company, it was impossible for any of the vulnerabilities to be exploited remotely, as the would-be attackers would require “physical access to the device, specialized equipment, time, and technical expertise.” Trezor pointed out the result of a survey done in association with crypto wallet Binance, which revealed that 66 percent of users believe that remote wallet attacks are the main problem.
In addition, Trezor highlighted that a $5 wrench attack– a form of theft where a user is compelled to disclose his password- can’t be prevented by the manufacturer’s hardware barriers. Regardless, the probability of attacking a Trezor wallet is still relatively small.