Preliminary blockchain analysis

We used data from Glassnode and Dune Analytics queries to determine the amount of Bitcoin in addresses that were created during the time that the vulnerability was live and found that over 1.45M BTC ($52 billion at current prices) is still held in addresses that were first created during the impacted time period. 

Because we’re talking about non-custodial wallets, even the wallet developers themselves can’t know the exact amount of BTC held in wallets they created. Owing to their ease-of-use of BitcoinJS-based wallets when compared to other early Bitcoin wallets, we know that impacted wallet software had a large market share. For instance, blockchain.com reported being responsible for 28% of Bitcoin transactions between 2012 and 2021. (https://www.cnbc.com/2021/03/24/blockchain-com-rides-bitcoin-mania-to-a-5-2-billion-valuation.html). 

The likelihood of a specific cryptocurrency address (aka, wallet) being cryptographically weak hinges on several factors. Particularly critical is the software version used: for instance, Blockchain.info wallets created before March 2012, or other wallets generated using the open-source version of BitcoinJS prior to crucial updates implemented in March 2014, are at heightened risk.

In the case of wallets where additional entropy was incorporated, such as blockchain.info wallets created after March 2, 2012, a multitude of factors come into play. For instance, the browser used by the wallet owner, alongside the approach to password creation, be it through a password generator or manual input, and even the typing speed can influence security. These factors, while not exhaustive, collectively contribute to the security of the private keys generated. Depending on the exact combination of variables, entities with extensive GPU resources, like nation-states or GPU mining farms, could still feasibly access private keys. This complexity underscores the importance of comprehensive awareness and proactive wallet migration to secure potentially impacted funds.

Below, we calculate the relative vulnerability of wallets generated under different scenarios and the number of affected wallets in each of these cases:

Estimate Model For Vulnerable Wallets

Vanilla BitcoinJS Main Line

• November 2011 to March 2014

• Compute: 1 GPU within a day in the fastest case scenario

• Example: Nvidia 3090 - MSRP $1300 - 11/8/2023 - available on Amazon. These are the same ones you find in high-end gaming PCs.

• Amount: Some % of 870,000 BTC ($31B)

• % unknown because Wallet generation numbers are not published, BitcoinJS was Forked 157 times by 8/3/14 and 2.1k Forked by 11/8/2014 

• March 2014 to December 2015

1. Compute: Close to 256-bit key strength - Key almost generated with full entropy - the standard level of encryption you would want/expect in a secure wallet.

2. Amount: Some % of 530,000 BTC ($18.9B)

1. % unknown because Wallet generation numbers are not published, BitcoinJS was Forked 157 times by 8/3/14 and 2.1k Forked by 11/8/2014 

3. We have seen examples that some vendors didn’t upgrade till much later and those wallets are still producing vulnerable wallets.

Blockchain.info (Forked from BitcoinJS)

• November 2011 to March 2012

• Compute: 1 GPU within a day in the fastest case scenario

• Example as above: Nvidia 3090 - MSRP $1300 - 11/8/2023 - available on Amazon.

• Amount: ~6% of 50,000 BTC = 3,000 BTC (~$107M)

• March 2013 to March 2014

• Compute: 10,000 GPUs in around a year to do the entire keyspace of potential wallets (in the fastest case scenario - but to be clear, you will be generating wallets throughout the process at random)  -  Nation State Like DPRK / RU / CN OR Commercial Crypto Mining Company

• https://www.tomshardware.com/news/mining-farm-walkthrough-full-rtx-3070

• https://www.jonpeddie.com/news/crypto-minings-half-a-billion-dollar-impact-on-aib-sales/

• https://earthjustice.org/feature/cryptocurrency-mining-texas

• Amount: ~6% of 820,000 BTC = 49,000 BTC (~$1.78B)

• March 2014 to December 20153/2014

  • Compute: Close to 256-bit key strength but was still using the vulnerable random number generator. Additional sources of entropy such as key presses, mouse clicks, and mouse movements likely supply required entropy.

The popularity of BitcoinJS adds considerable difficulty when assessing the scope of this issue. According to the wayback machine, as of August 2014 there were 157 forks of the bitcoinjs library

Screenshot from https://web.archive.org/web/20140803031351/https://github.com/bitcoinjs/bitcoinjs-lib

At the time of publication (November 2023) there are 2100+ forks of BitcoinJS 

Screenshot from https://github.com/bitcoinjs/bitcoinjs-lib