Researcher finds vulnerabilities in popular paper wallet site
- The analysis revolves around WalletGenerator’s original open-source code.
- The researcher advised removing funds from WalletGenerator-based paper wallets.
Harry Denley, a security researcher from MyCrypto.com, has recently posted a brief analysis of popular paper wallet site “WalletGenerator.net.” The core of the analysis revolves around WalletGenerator’s original open-source code. The online code matched the open-source code and it generated wallets using a client-side technique that took in real random entropy and produced a unique wallet until August 17, 2018.
As per Denley:
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.
However, using WalletGenerator.net at various times between May 18, 2019 -May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
Denley highly recommends moving funds off of your WalletGenerator-based paper wallets:
“We’re still considering this highly suspect and still recommending users who generated public/private keypairs after August 17, 2018, to move their funds. We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.”
Author
Rajarshi Mitra
Independent Analyst
Rajarshi entered the blockchain space in 2016. He is a blockchain researcher who has worked for Blockgeeks and has done research work for several ICOs. He gets regularly invited to give talks on the blockchain technology and cryptocurrencies.
