Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎10-15-2024 03:36 PM
‎10-15-2024 03:36 PM

$10 million stolen, and Nobody noticed

 

Hi All

 

Imagine an attack against Bitcoin, only to discover the criminals have been you to it.  Here is the story of how $10 million vanished without a trace.

 

First, some background.  Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction security.  It is difficult to write a good ECDSA implementation because small mistakes can reveal your private key.

 

ECDSA relies on nonces.which are random numbers used only once during a cryptographic operation.  Small weaknesses in your ECDSA nonces can be exploited to reverse-engineer your private key. 

 

In 2023, researchers discovered a new flaw in ECDSA nonce generation related to weak random number generators.   With this attack, dubbed Polynonce, tiny correlations between the random numbers in the nonces and the private key were exploited to break the private key. 

 

Curious about the impact of the attack, the researchers downloaded the entire Bitcoin transaction history.  They discovered over 700 wallets that exhibited evidence of this weakness.  Here is the catch:

 

The wallets were empty.

 

Digging further into the transactions, they concluded at least $10 million was stolen because of this Polynonce weakness.  These thefts were unreported until that point, which everyone wonder how many other undiscovered attacks there are on weak randomness or other ECDSA vulnerabilities.

 

Thanks to Duncan Jones for bringing this to our attention.

 

 

https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoi...

 

 

Everyone happy to keep using Bitcoin and other cryptocurrency systems?

 

Regards

 

Caute_Cautim

Reply
4 Replies
funkychicken
Contributor I
‎10-16-2024 04:44 AM
‎10-16-2024 04:44 AM

This was the the main problem before Crypto systems went live. We were all told it was going to be secure and transactions were logged, the blockchain was shared and it was decentralized. But what about the mechanisms to secure it? Are they subject to rigorous testing ? Can they refund  you if something goes wrong or the design of something was flawed from day 1 ? This is why its a high risk to invest in bitcoin or other Crypto markets. 

Reply
Caute_cautim
Community Champion
‎10-16-2024 05:15 PM
‎10-16-2024 05:15 PM

@funkychicken   Even if they are registered in Singapore and registered with the Financial Institution or regulator.   Nope they are not secure at all, even less if AI is applied, they can change the rules overnight.

 

Regards

 

Caute_Cautim

Reply
funkychicken
Contributor I
‎10-17-2024 05:43 AM
‎10-17-2024 05:43 AM

Yes I think AI could help with this. If a situation arises where a wallet is compromised and does not come from the agreed owner of the wallet then this can be automatically shut down and only opened again by using the recovery keys from the wallet. Or maybe implement another authentication factor on the wallet to assist with this. 

Reply
Caute_cautim
Community Champion
‎10-19-2024 08:28 PM
‎10-19-2024 08:28 PM

@funkychickenNot if the provider changes the rules, which they are entitled to do so, and use the AI to enact them.   To the benefit of the provider and not the client.   The original issue is the cryptographic algorithm ECDSA has inbuilt flaws which in this case an unknown perpetrator has exploited and used it to leave no trail whatsoever.  Which is horrific.

 

Regards

 

Caute_Cautim

 

 

Reply