Blockchain.info R Value Vulnerability

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Blockchain.info

The blockchain.info web wallet had a wallet generation exploit. Wallets were generated in a predictable way with a less secure R value for a few hours. This meant that the funds in those wallets could be snatched up by hackers. A combination of black and white hackers took funds. It would appear that blockchain.info made special effort to reimburse all affected users, though in at least one case a user reported their refund was sent to a hacker instead of them.

This is a global/international case not involving a specific country.

About Blockchain.info

"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."

“[An] issue was present for a brief period of time between the hours of 12:00am and 2:30am GMT on December the 8th 2014. The issue was detected quickly and immediately resolved. In total, this issue affected less than 0.0002% of our user base and was limited to a few hundred addresses. We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues.”

"I only know about ~106 stolen coins, my assumption is that there must be much more that I don't know about."

"When making a scheduled software update overnight to our web-wallet, our development team inadvertently affected a part of our software that ensures private keys are generated in a strong and secure manner."

"We have sent an alert to all users who have potentially vulnerable addresses in their wallets, for which we have an email on file. We are committed to working with any affected users to assess and rectify any issues."

"If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at support@blockchain.zendesk.com or simply create a new wallet."

"This person claims to have been sweeping the affected addresses. He seems open to returning the funds. In my opinion he and blockchain.info should be put into contact as they could help get the coins back to where they belong. But you can contact him on that thread to attempt recovery as well."

"Affected users can contact the official portal for Blockchain user support. The company says that the support team is available seven days a week to help." "Our support team will respond to each individual case as quickly as they can. Some cases will require more research than others and this is to ensure the correct amount of funds are returned to each user who lost funds because of this issue."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Blockchain.info R Value Vulnerability
Date	Event	Description
December 8th, 2014 8:59:53 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?