Categories: News

Poorly generated addresses cause Blockchain.info customer’s BTC loss

What happened?

Blockchain.info seems to be under much heat lately from all the recent attacks. Ranging from https redirection by rogue Tor nodes

 to phishing attempts.  During a scheduled update by the blockchain.info team an issue was present between 12:00am and 2:30am GMT on 12/8/14. According to the official blockchainwallet reddit account:

If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at support@blockchain.zendesk.com or simply create a new wallet.

What was the issue? How were the coins stolen? We are here to find out.

Repeated R values

A bitcoin transaction has inputs and outputs. It looks like this:

Input:
Previous tx: f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6
Index: 0
scriptSig: 304502206e21798a42fae0e854281abd38bacd1aeed3ee3738d9e1446618c4571d10
90db022100e2ac980643b0b82c0e88ffdfec6b64e3e6ba35e7ba5fdd7d5d6cc8d25c6b241501

Output:
Value: 5000000000
scriptPubKey: OP_DUP OP_HASH160 404371705fa9bd789a2fcd52d2c580b65d35549d
OP_EQUALVERIFY OP_CHECKSIG

Here is a brief overview of what an input and an output in a transaction consits of (taken from the bitcoin wiki)

Input

An input is a reference to an output in a different transaction. Multiple inputs are often listed in a transaction. The values of the referenced outputs are added up, and the total is usable in the outputs of this transaction. Previous tx is a hash of a previous transaction. Index is the specific output in the referenced transaction. ScriptSig is the first half of a script. The script contains two components, a signature and a public key.

Output

An output contains instructions for sending bitcoins. Value is the number of Satoshi (1 BTC = 100,000,000 Satoshi) that this output will be worth when claimed. ScriptPubKey

Related Post
is the second half of a script (discussed later). There can be more than one output, and they share the combined value of the inputs.

The Script

A script is essentially a list of instructions recorded with each transaction that describe how the next person wanting to spend the Bitcoins being transferred can gain access to them. It contains a signature and a public key. According to Nils Schneider

 on 12/25/13 he discovered a potential weakness in some Bitcoin implementations. He gave an example of a transactions:
transaction: 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1

input script 1:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

input script 2:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

The above is an example of a transaction with 2 inputs. If you look closely you can see how the script has many similar bytes at the beginning and at the end. Since the beginning of the script is the signature (r,s) r1 = r2

r1: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
r2: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1

s1: 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2: 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab

This is where the repeating R values come from. Because the r values are equal Schneider was able to find a way to recover the private key to that public key which he shows in his blog post. At the very end he explains why the vulnerability works:

Why did this work? ECDSA requires a random number for each signature. If this random number is ever used twice with the same private key it can be recovered. This transaction was generated by a hardware bitcoin wallet using a pseudo-random number generator that was returning the same “random” number every time.

Blockchain.info’s role in the attack

Because the repeating R values come from a poorly generated “random” number it is blockchain.info’s fault that change addresses and user’s main addresses were generated using a poorly chosen random seed. As such, blockchain is taking full responsibility and is refunding it’s users who lost coins during the time period.

If you lost any coins during this time please make sure to email blockchain.info @ support@blockchain.zendesk.com to see what they can do for you. If you liked this article follow us on twitter @themerklenews and don’t forget to subscribe to our newsletter.

Mark Arguinbaev

I'm a 29 year old cryptocurrency entrepreneur. I was introduced to Bitcoin in 2013 and have been involved with it ever since. Fun Fact: I mined cryptocurrency using my college dorm room's free electricity.

Share
Published by
Mark Arguinbaev

Recent Posts

Web3Bay, Solana, & Tron: Are Utility Coins Paving the Future of Crypto?

Beyond Bitcoin: Why Web3Bay, Solana & Tron Are Essential for Your 5-Year Investment Plan Cryptocurrencies…

6 hours ago

Best New Altcoins to Buy for 2025: BlockDAG, Solana, Cardano & Polkadot

2025’s Altcoin Season is Approaching—Why BlockDAG, Solana, Cardano & Polkadot Are the Best New Altcoins…

6 hours ago

Panel Of Crypto Experts Reveal Realistic Expectations For Dogecoin Price This Cycle, Say This Rival Altcoin Can Net You 55,000% Gains in 3 Weeks

After conducting an in-depth market analysis, a panel of crypto experts revealed realistic expectations for…

6 hours ago

Ethereum and Solana Price Projections 2025 Show Potential; BlockDAG Leads with Price Projections from $1 to $20-$30

Ethereum and Solana are capturing attention with expected strong upward trends. Ethereum price predictions for…

8 hours ago

Best Crypto Presale To Buy Now: Rollblock Acquires New Gaming License, Launches Sports Betting and Hits 35K Presale Sign Ups

Rollblock (RBLK) is now the best crypto presale of 2024 and is about to become…

10 hours ago

Solana Price Defies Bearish Market: Can SOL Touch $300 In Final Rally After New Year?

As a resilient Layer-1 blockchain platform, Solana (SOL) boasts low fees, high-speed transactions, and unparalleled…

13 hours ago