Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

UNKNOWN

MAY 2019

GLOBAL

WALLETGENERATOR

DESCRIPTION OF EVENTS

"Online cryptocurrency paper wallet creator WalletGenerator.net previously ran on code that caused private key/public key pairs to be issued to multiple users. The vulnerability was described in an official blog post by security research Harry Denley of MyCrypto on May 24.

 

According to the post, the bad code was in effect by August 2018, and was only recently patched out as of May 23. The live code on the website is reportedly supposed to be open source and audited on GitHub, but there were differences detected between the two. After researching the live code, Denley concluded that the keys were deterministically generated on the live version of the website, not randomly.

 

In one of MyCrypto’s tests between May 18–23, they attempted to use the website’s bulk generator to make 1,000 keys. The GitHub version returned 1,000 unique keys, but the live code returned 120 keys. Running the bulk generator always reportedly returned 120 unique keys instead of 1,000 even when other factors were tweaked, including browser refreshes, VPN changes, or user changes."

 

“ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key / address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.’”

 

"WalletGenerator patched the determinism problem after MyCrypto reached out during the middle of its investigation. WalletGenerator purportedly responded afterward saying that the allegations could not be verified, and even asked the correspondent if MyCrypto was a “phishing website.”"

 

Explore This Case Further On Our Wiki

WalletGenerator.net was a website which assisted in the generation of bitcoin wallets. The tool gained a lot of trust by being open source, however for several months between August 2018 and May 2019, the keys generated would be within a limited set, meaning multiple users could easily be assigned the same key. There are no specific reports identified yet of users having lost funds in this case.

HOW COULD THIS HAVE BEEN PREVENTED?

Generating your wallet using a third party website is likely not the best idea.

 

Check Our Framework For Safe Secure Exchange Platforms

Computer Researcher Finds Wallet Vulnerability That Gave Same Key to Multiple Users (Sep 2)
Disclosure Key Generation Vulnerability Found on Walletgenerator Net Potentially Malicious (Mar 24)
GitHub - walletgeneratornet/WalletGenerator.net: Universal JavaScript Client-Side Wallet Generator (Mar 24)
WalletGenerator.net - Universal Paper wallet generator for Bitcoin and other cryptocurrencies (Mar 24)

Sources And Further Reading

More case studies

CoinBase Sim
Swapping

Trezor Fake
Google Play App

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2026 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.