Recently, Unciphered, a company providing cryptocurrency wallet recovery solutions, issued a warning to users about the Randstorm vulnerability that could potentially expose the seed phrases of older wallets to hacking at any time.
Specifically, the affected wallets by the Randstorm vulnerability are older Bitcoin wallets created between 2010 and 2016, which used a weaker random number generator algorithm for generating seed phrases compared to today’s standards. Before 2016, many browsers used BitcoinJS, a widely-used JavaScript library for Bitcoin wallets, to generate seed phrases. However, BitcoinJS was built with a weak random number generation algorithm that can now be easily cracked by hackers.
According to Trail of Bits, BitcoinJS was reused by dozens of other blockchain companies, making it challenging to determine who might be affected. If victims have wallets with a long history (e.g., from 2010) and significant balances, it could lead to anxiety among investors.
Additionally, Unciphered warned that Dogecoin, Litecoin, and Zcash wallets are also affected by this vulnerability. This is because Dogechain.info, a popular Dogecoin explorer since 2013, provides wallet creation services using BitcoinJS.
To demonstrate the severity of this vulnerability, @trailofbits quickly created a proof-of-concept Python attack. The results showed that they were able to recover the seed phrase in just a few days on a MacBook.
Recognizing the significant risk, Unciphered reached out to wallet providers and recommended that long-term investors transfer their funds to a new wallet.