QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$9 000 USD
JUNE 2020
GLOBAL
NONE
DESCRIPTION OF EVENTS
"Alistair Milne, CIO of the Altana Digital Currency Fund, orchestrated a challenge on Twitter where the winner would get an entire Bitcoin. Starting in May, he periodically published hints to a 12-word seed phrase for a wallet address that contained one Bitcoin. Whoever picked up all the clues could use the phrase to unlock the Bitcoin wallet and take the Bitcoin inside."
"Alistair Milne tweeted that he planned to giveaway 1 Bitcoin in a wallet generated using a 12-word mnemonic." "The private keys to [a] 1BTC wallet were generated from a 12-word mnemonic seed. Over the next ~30 days I will be releasing the words (or a clue to a word) on my various social media pages."
"Milne planned to post the last three or four words in one go. This was an attempt to prevent someone from brute-forcing the address open (by continuously guessing words until a combination worked). But his plan failed. With just eight words, Cantrell was able to guess the remaining words, find the right combination and unlock the wallet."
"With 8 known words there are 2^40 (~1.1 trillion) possible mnemonics." "To test a single mnemonic we have to generate a seed from the mnemonic, master private key from the seed, and an address from the master private key."
"I ported all necessary code for generating and checking a mnemonic (SHA-256, SHA-512, RIPEMD-160, EC Addition, EC Multiplication) to OpenCL C which is a programming language to run code on a GPU." "I wrote a server application that would orchestrate the distribution of work into batches of ~16 million mnemonics to a pool of GPU workers. Each GPU worker would ask the server for the next batch of work to do, perform the work, and log the result back to the server."
"I spent ~$350 renting GPUs from vast.ai (plus ~$75 for free from Azure)." "I was worried about other people doing the same and is why I included a .01 BTC miner fee. I didn’t think even this would be enough and thought there could be a ‘race to zero’ where people continually increased the fee trying to get the miners to include their transaction in the next block."
"Creating a contest that isn’t won by software is difficult. I’d like to pay-it-forward and try crafting one myself."
Twitter user Alistair Milne launched a contest where he would unveil one word of a 12-word seed phrase periodically over a month. The wallet contained a whole bitcoin. John Cantrell was able to brute force the seed phrase with only 8 of the words, extracting the funds prematurely before the last 4 words were unveiled. Ultimately, John was declared the winner of the contest and kept the full amount.
HOW COULD THIS HAVE BEEN PREVENTED?
The contest showed that brute forcing a seed phrase can be done practically with only 8 words instead of the full 12. Never share part of your seed phrase with anyone else unless you intend to give them all your funds, as this can be used in a brute force attack.
Azzuro-x comments on Over $40k of CryptoCurrency Stolen (Aug 7)
Hacker reveals how he cracked a Bitcoin address - Decrypt (Dec 22)
Bitcoin Address | Wallet Lookup - Blockonomics (Dec 22)
Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16)
Bitcoin / Address / 3HX5tttedDehKWTTGpxaPAbo157fnjn89s — Blockchair (Dec 22)
@alistairmilne Twitter (Dec 22)
How I checked over 1 trillion mnemonics in 30 hours to win a bitcoin | by John Cantrell | Medium (Dec 22)
@JohnCantrell97 Twitter (Dec 22)
@JohnCantrell97 Twitter (Dec 22)
@alistairmilne Twitter (Dec 22)
