CybersecurityActively used private keys on the ethereum blockchain facilitate cryptocurrency theft

Published 24 April 2019

Researchers at Independent Security Evaluators (ISE) have discovered 732 actively used private keys on the Ethereum blockchain. The researchers also found that poorly implemented private key generation is also facilitating the theft of cryptocurrency.

Poorly implemented key generation facilitates bitcoin theft // Source: pixabay.com

Researchers at Independent Security Evaluators (ISE) have discovered 732 actively used private keys on the Ethereum blockchain. In their new study titled “Ethercombing,” ISE found that poorly implemented private key generation is also facilitating the theft of cryptocurrency. The researchers identified 13,319 Ether (ETH) which was transferred to both invalid destination addresses and forever lost, as well as to wallets derived from weak private keys which were targeted for theft. The value of the combined total loss would have been $18,899,969 at the peak of the Ethereum market in mid-January 2018 (click here for a copy of the paper).

“The chances of duplicating or guessing the same randomly-generated private key already used on the Ethereum blockchain is approximately 1 in 115 quattuorvigintillion (2^256), so brute forcing someone’s private key should be practically impossible,” says ISE researcher Adrian Bednarek. In light of these odds, the number of ETH tokens, number of transactions, total USD value of lost ETH, and number of actively used private keys found by ISE’s researchers was significant.

ISE’s ability to find these actively used private keys was presumably made possible due to programming errors in the software which generated them. For example, the team hypothesized that in various Ethereum wallet software implementations, a 256-bit, sufficiently random private key might be created, but the full value of the key becomes truncated on output due to coding mistakes. Likewise, error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors could also result in weak keys. These private keys are not sufficiently random which makes it trivial for a computer to brute force and eventually guess.

To find these keys, the researchers enumerated every possible private key in targeted sub-sections of the 256-bit key space where truncated or weak keys seemed likely to occur. To their surprise, the private keys discovered corresponded with 49,060 transactions on the Ethereum blockchain.