Did you use WalletGenerator.net? You should change your keys
Even doing almost everything right is no guarantee that funds will remain safe.
A recent report has found vulnerabilities in the WalletGenerator.net key generator site which have reportedly resulted in duplicate keys being generated for multiple users.
It's most likely that this is a deliberate, malicious vulnerability rather than a simple mistake. The reason being, the site's wallet generation code no longer matches the GitHub code for the site.
The code on GitHub "is not malicious nor vulnerable, nor has it been malicious or vulnerable previously", the investigator assures. It's the site itself that is serving up vulnerable private keys. More specifically, the keys it generates might appear random at first inspection but are actually guessable by someone who knows how the code works.
This flaw isn't just a slight risk either. The researchers generated 1,000 private keys between 18 May and 23 May 2019, and came back with only 120 different private keys. Changing various settings would simply generate a different set of 120 different keys.
The ownership of the site changed hands a couple of years ago, and "it is unclear at this time if the new owner is responsible for these code changes or if the server has been compromised by an external party".
A look back at the site's history shows that the vulnerability was introduced in August 2018.
Step by step guide
If you may have been affected by this, you should consider following these steps:
- Keep running.
- Don't look back.
In other words, securely generate a new address with a different service, and move your funds there.
There are some grey areas around when exactly the site was rendered vulnerable, and who's responsible for it, but at this point someone who doesn't want to take any chances is probably just going to stay away from WalletGenerator.net entirely.
When the security researchers contacted the site owners, they said everything is fine and there's nothing to worry about.
The researchers also noted that the issue appears to be on and off. It's possible that in an effort to keep a low profile, someone is only swapping in the malicious key generator at certain times.
This incident serves as a neat reminder of how many vulnerabilities there can be in anything that's on the Internet. In this case, it's not clear whether the site owners themselves are responsible or whether someone hacked their site, but the end result is the same.
Key generators are a particular bugbear and countless fortunes of all kinds have been lost to them over the years, often in quite creative ways.
In most cases, some kind of friction between the GitHub repository and the code actually being used on the site is involved. For example someone previously stole about €10 million in IOTA with a compromised IOTA seed generator. In that case it was a malicious site owner, who was later arrested, who correctly assumed no one one would bother actually checking to make sure the site's seed generator matched the GitHub repository. That seems to be broadly similar to what may have happened here.
You can also find a slightly more curious example with compromised SysCoin wallets. In that case, one of the coin's developers was a little incautious and someone was able to hack their GitHub account. By logging in as the developer they were able to swap out the official SysCoin wallet with a compromised version that steals keys.
But if they were handing out prizes, it would probably go to the Bitcoin Gold developer who opted for an early retirement by transparently putting up a compromised wallet, and forcing it to popularity with the strength of their reputation. The developer was well-known in the community, and thanks to their previous non-malicious work, their wallet got a lot of endorsements from other trusted figures. And their wallet genuinely did match the public GitHub repository, but the vulnerability in it was obscured through some clever programming.
All these incidents, and countless more, also come together to highlight the security challenges remaining in the crypto space. Even if you do everything right, and use only the most trusted wallets, there are no guarantees. Someone might have thoroughly assessed WalletGenerator.net, only for the code to take a turn for the malicious afterwards.
Ideological purists might roll their eyes at it, but it's easy to see why institutions would much rather use third party custody solutions rather than take the risk of being their own bank.
Disclosure: The author holds BTC, BNB, ATOM, IOTA at the time of writing.