Independent Security Evaluators (ISE) has published a report about the Ethereum blockchain. The report claims that poorly implemented private key generation is facilitating the theft of cryptocurrency. ISE said they discovered 732 private keys as well as their corresponding public keys that committed 49,060 transactions to the Ethereum blockchain.
Additionally, ISE researchers said they identified 13,319 Ether (ETH) which was transferred to both invalid destination addresses and forever lost, as well as to wallets derived from weak private keys which were targeted for theft.
According to ISE, the value of the combined total loss would have been almost $19 million at the peak of the Ethereum market in mid-January 2018.
ISE researcher Adrian Bednarek said the chances of duplicating or guessing the same randomly-generated private key already used on the Ethereum blockchain is approximately 1 in 115 quattuorvigintillion. This should indicate that a brute force attack ” should be practically impossible.”
“In light of these odds, the number of ETH tokens, number of transactions, total USD value of lost ETH, and number of actively used private keys found by ISE’s researchers was significant,” said Bednarik.
ISE claimed their ability to find private keys was possibly due to programming errors in the software that generated them.
ISE hypothesized that in various Ethereum wallet software implementations, a 256-bit, sufficiently random private key might be created, but the full value of the key becomes truncated on output due to coding mistakes. ISE stated:
“… error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors could also result in weak keys. These private keys are not sufficiently random which makes it trivial for a computer to brute force and eventually guess.”
ISE said they discovered an individual or group they labeled the “Blockchainbandit” stealing ETH funds from some of the wallets associated with the discovered weak private keys. ISE said they observed that the thief was sending that ETH to a destination wallet. Reportedly, on January 13, 2018, Blockchainbandit’s wallet held a balance of 37,926 ETH valued at $54,343,407. Due to the decline in value of ETH that amount is now worth far less or about $6.6 million.
ISE stated that the perpatrator continues to steal ETH claiming they placed a small amount in a weak key wallet and “within seconds, the ETH was transferred out and into the bandit’s wallet.”
ISE recommended strong private keys.
The entire report is available here.