Serious Fault Found in WalletGenerator’s Wallets
According to MyCrypto.com researcher Harry Denley, the paper wallet site WalletGenerator.net’s wallets have a serious vulnerability. Denley posted a detailed account of the fault on his company’s official blog on May 24.
A Problem with the Original Code
According to the analysis done by Denley, the entire problem lies in the original open-source code used by the WalletGenerator. Because of this code, the same private key-public key pairs were issued to multiple users.
This faulty code was in effect by August 17 of last year, and was only patched a few days ago on May 23. The live code was supposed to have been audited by GitHub and was also supposed to have been open-source. However, there was a difference between the original open-source code and the live code.
This discrepancy only started from August of 2018. Prior to that, both the live code was open source and generated unique public/private key pairs at all times.
The MyCrypto researcher ran a test on the generator. He used the Bulk Wallet generator in order to generate 1,000 new keys. When Denley used the GitHub approved version, he was able to generate 1,000 unique keys.
Next, between May 18 to May 23 this month, the researcher used the WalletGenertor.net live version at different times and in different statuses. However, no matter what time the test was carried out, and whether the user’s browser was refreshed, or VPN locations were switched, or even another user carried out the same test, only 120 unique keys were generated from each session.
What this indicated was that the keys on WalletGenerator.net had been not been randomly but deterministically generated.
Denying Culpability
During the middle of its investigation, MyCrypto reached out to WalletGenerator.net with its findings. The website immediately patched the problem and it had not been noticed since then.
However, after patching the deterministic behavior of its wallet generator, WalletGenerator.net stated that MyCrypto’s allegations were baseless and, in fact, asked if the researcher was in reality a Phishing site.
The researcher concluded his post, stating that this activity was highly suspect and that MyCrypto would recommend that all users who had generated private/public keys after August 17, 2018 using WalletGenerator.net should move their funds to a more secure location.
Denley also recommended that people not use WalletGenerator.net going forward, despite the fact that activity seemed to have normalized on the website.