Flaw in early Bitcoin wallets shows how much crypto depends on secure code

As the Post explains, the problem “stems from wallet programs that created cryptographic keys that weren’t random enough. Instead of crafting electronic keys that were one in a trillion and therefore very hard for an outsider to forge, they made keys that were one in some number of thousands—a randomness factor easily hacked.”

In other words, hackers could use trial and error to guess the private key of these wallets and steal the contents. For now, the details of the vulnerability are only known by the security firm that discovered it, and they are not disclosing them for obvious reasons—but the firm made clear it’s a matter of time till bad guys find it too.

While this sounds like a potential catastrophe, the fallout is likely to be relatively minor since the wallet flaw affects only certain pre-2016 wallets created by the firm Blockchain and a few others. Blockchain has been warning its customers so those affected have time to patch their wallet or move their Bitcoin somewhere else.

The most interesting question for me is what will become of the vulnerable wallets whose owners have long ago forgotten about them. There are likely more of these than we might imagine. I recall, for instance, a friend who briefly dated a guy who sent her a small amount of Bitcoin to try and get her interested in crypto—but who, understandably, promptly forgot about it soon after. No doubt there are many others in her situation since there are reportedly at least 4 million Bitcoins lost forever.

The irony is that the price of Bitcoin in 2015 was as low as $300 and is up 100-fold since then, which means even small amounts from that era are worth a healthy sum. The upshot is that news of the vulnerability will set off a race to recover all that forgotten Bitcoin—a race not unlike those expeditions that seek to find and recover sunken vessels that contain gold bars.

Unfortunately, those likely to win that race are nasty characters like the North Korean military hackers, who already spend their time trying to steal crypto. The Post reports there have been proposals for white hat hackers to steal the Bitcoin first and figure out a way to safeguard and distribute it. Alas, for now, the plan is not going forward due to fear of legal liability.

All of this a fine reminder of just how much the integrity of crypto depends on secure code. After 15 years without a hack, the code that runs Bitcoin itself can be considered all but bulletproof but, as ever, third parties who build around it can make mistakes. This is a lesson newer blockchain projects should take to heart.

Finally, speaking of hacking, FBI and Justice Department agents will be on hand at the Blockchain Association’s Policy Summit in Washington, D.C. on Nov. 29–30. My colleague Leo Schwartz will be there too along with some big names from the world of politics—you can check out the details here.

Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts

DECENTRALIZED NEWS

Tether is moving into Bitcoin mining with plans to spend $500 million on its own facilities and on stakes in other mining firms. (Bloomberg)

The secure email service Proton Mail is deploying blockchain technology as a means of verifying email addresses. (Fortune)

As the world moves on from Sam Bankman-Fried, The Bahamas is struggling to shake off the taint from his association. (CoinDesk)

Funding levels of Bitcoin perpetual futures are at 2021 levels prior to it reaching $69,000, which points to bullish sentiment even as spot price sagged back to $36,000. (Bloomberg)

NBA star Shai Gilgeous-Alexander is suing to reverse his purchase of a giant home in Toronto because it keeps being visited by menacing figures seeking the crypto crook who used to own it. (NYT)

MEME O’ THE MOMENT

Oops. Fox uses CZ's photo in place of Citadel CEO: