$10 million stolen, and Nobody noticed

Caute_cautim

Hi All

Imagine an attack against Bitcoin, only to discover the criminals have been you to it. Here is the story of how $10 million vanished without a trace.

First, some background. Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction security. It is difficult to write a good ECDSA implementation because small mistakes can reveal your private key.

ECDSA relies on nonces.which are random numbers used only once during a cryptographic operation. Small weaknesses in your ECDSA nonces can be exploited to reverse-engineer your private key.

In 2023, researchers discovered a new flaw in ECDSA nonce generation related to weak random number generators. With this attack, dubbed Polynonce, tiny correlations between the random numbers in the nonces and the private key were exploited to break the private key.

Curious about the impact of the attack, the researchers downloaded the entire Bitcoin transaction history. They discovered over 700 wallets that exhibited evidence of this weakness. Here is the catch:

The wallets were empty.

Digging further into the transactions, they concluded at least $10 million was stolen because of this Polynonce weakness. These thefts were unreported until that point, which everyone wonder how many other undiscovered attacks there are on weak randomness or other ECDSA vulnerabilities.

Thanks to Duncan Jones for bringing this to our attention.

https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoi...

Everyone happy to keep using Bitcoin and other cryptocurrency systems?

Regards

Caute_Cautim