Crypto cybersecurity firm Unciphered has unearthed a decade-old crypto wallet bug affecting browser-based wallets generated between 2011 and 2015.

加密网络安全公司 Unciphered 发现了一个存在十年之久的加密钱包漏洞，该漏洞影响了 2011 年至 2015 年间生成的基于浏览器的钱包。

The bug may allow nefarious actors to steal up to $2.1 billion from wallets on various networks, including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), and Zcash (ZEC).

该漏洞可能允许不法分子从各种网络的钱包中窃取高达 21 亿美元，包括比特币 (BTC)、狗狗币 (DOGE)、莱特币 (LTC) 和 Zcash (ZEC)。

Discovering An Ancient Bug

发现一种古老的虫子

In an interview with the Wall Street Journal, the Unciphered team explained that they’d accidentally discovered the bug during a failed attempt to recover an early investor’s $600,000 in lost Bitcoin (BTC).

在接受《华尔街日报》采访时，Unciphered 团队解释说，他们在试图追回早期投资者丢失的 60 万美元比特币 (BTC) 的过程中意外发现了该漏洞。

The entrepreneur, Nick Sullivan, created his Bitcoin wallet back in 2014 using the website Blockchain.info (since renamed to Blockchain.com). Later, he accidentally lost access to his coins after wiping his computer’s memory without remembering to record his wallet’s private key.

企业家尼克·沙利文 (Nick Sullivan) 早在 2014 年就使用 Blockchain.info 网站（现已更名为 Blockchain.com）创建了自己的比特币钱包。后来，他在擦除计算机内存而忘记记录钱包私钥的情况下，意外地失去了对他的硬币的访问权限。

At Sullivan’s request, Unciphered began searching for Sullivan’s coins in January 2022. Though they ultimately lacked enough information to get them back, they realized in the process that Blockchain.info’s code for creating random wallet keys – BitcoinJS – did not make all of its wallets random enough.

应沙利文的要求，Unciphered 于 2022 年 1 月开始搜索沙利文的代币。尽管他们最终缺乏足够的信息来找回这些代币，但他们在此过程中意识到，Blockchain.info 用于创建随机钱包密钥的代码 – BitcoinJS – 并没有制作其所有钱包足够随机。

“BitcoinJS is terribly broken up till March 2014,” said Unciphered co-founder Eric Michaud. “Anyone directly using it is on the very high end of risk to attack.”

Unciphered 联合创始人埃里克·米肖 (Eric Michaud) 表示：“直到 2014 年 3 月，BitcoinJS 才彻底崩溃。” “任何直接使用它的人都面临着极高的攻击风险。”

Another wallet site, Dogecoin.info, also used BitcoinJS, leaving many old Dogecoin users exposed to the same vulnerability.

另一个钱包网站 Dogecoin.info 也使用了 BitcoinJS，导致许多狗狗币老用户面临同样的漏洞。

Unciphered claims that wallets made before March 2012 contain $100 million in assets that could easily be hacked by a home computer user. Another $50 billion is held in wallets created between then and 2015, of which at least $500 million is vulnerable.

未加密的说法称，2012 年 3 月之前制作的钱包包含 1 亿美元的资产，这些资产很容易被家庭计算机用户黑客攻击。从当时到 2015 年创建的钱包中还有 500 亿美元，其中至少 5 亿美元是脆弱的。

Cryptographers discovered flaws in wallet generation randomness back in 2014, and improved their methods since. Unciphered said it hadn’t discovered any wallets generated after 2016 suffering from weak randomness.

密码学家早在 2014 年就发现了钱包生成随机性的缺陷，并从那时起改进了他们的方法。 Unciphered 表示，尚未发现 2016 年之后生成的任何钱包随机性较弱。

How to Tell Victims?

如何告诉受害者？

Unciphered came public with the vulnerability this week, but has been quietly warning affected users that their assets are at risk for months.

Unciphered 本周公开了该漏洞，但几个月来一直悄悄警告受影响的用户，他们的资产面临风险。

The challenge was convincing millions of victims to move their funds without revealing the vulnerability to thieves who would otherwise leverage it to steal coins.

面临的挑战是说服数以百万计的受害者转移资金，同时又不向窃贼透露该漏洞，否则窃贼会利用这些资金来窃取代币。

Unciphered ultimately decided to go to the biggest site responsible for generating such wallets that might be in a position to discretely notify affected users. That site ended up being the one Sullivan used – Blockchain.com.

Unciphered 最终决定访问负责生成此类钱包的最大网站，该网站可能能够单独通知受影响的用户。该网站最终成为沙利文使用的网站——Blockchain.com。

The site sent out emails to holders of over 1.1 million affected wallets and found a way to automatically update the wallets of anyone who visited its site.

该网站向超过 110 万个受影响钱包的持有者发送了电子邮件，并找到了一种方法来自动更新访问其网站的任何人的钱包。

“In crypto, you need to be pretty skeptical of people who call with something that sounds dramatic, because there are so many scammers,” Blockchain.com President Lane Kasselman said regarding Unciphered’s warning. “It was unclear who they were and what the scope of it was.”

Blockchain.com 总裁 Lane Kasselman 在谈到 Unciphered 的警告时表示：“在加密货币领域，你需要对那些打电话说一些听起来很戏剧性的事情的人保持怀疑，因为诈骗者太多了。” “目前尚不清楚他们是谁以及其范围是什么。”

Many affected users still haven’t been warned directly since the sites they used to create their wallets are now out of business.

许多受影响的用户仍未收到直接警告，因为他们用来创建钱包的网站现已停业。

The post Old Crypto Wallet Bug Puts $2.1 Billion At Risk: Unciphered appeared first on CryptoPotato.

旧加密货币钱包漏洞将 21 亿美元置于危险之中：未加密的帖子首先出现在 CryptoPotato 上。