A crypto recovery company, Unciphered, has discovered a significant vulnerability in BitcoinJS library.

A billion-dollar-worth vulnerability in old Bitcoin (BTC) wallets generated with BitcoinJS library was exposed on Nov. 14. Crypto recovery firm Unciphered said it had learned that the popular JavaScript library did not always generate private keys random enough.

As reported by The Washington Post, the vulnerability called Randstorm was prevalent among crypto wallets generated between 2011 and 2016. While no specific details on the bug have been released, the report says the BitcoinJS library was not generating private keys for crypto wallets properly. The random number generator was insufficient, leaving nearly $1 billion worth of crypto exposed for a hack.

“BitcoinJS is terribly broken up till March 2014. Anyone directly using it is on the very high end of risk to attack.”

Unciphered Co-Founder Eric Michaud

BitcoinJS developer Stefan Thomas confirmed the vulnerability in a commentary to The Post. He had developed the software as a hobby, taking the major part of the code from a source code published on Stanford University’s website.

“Instead, I was obsessed about making sure that I did not make any mistakes in my own code. I’m sorry to anyone affected by this bug.”

BitcoinJS developer Stefan Thomas

According to The Post, the BitcoinJS library was used by many crypto websites such as Blockchain.com (formerly Blockchain.info), Dogechain.info, Block.io, and others. However, Blockchain.com is said to have fixed the issue, adding more randomness to the random number generator.

The BitcoinJS vulnerability appears to be not entirely new. In 2018, David Gerard, a Unix system expert based in the U.K., previously revealed that he had discovered discussion threads on the Bitcointalk forum as early as 2013 on this particular issue. Back then, some web-based Bitcoin wallets used the SecureRandom() function to generate private keys.

According to Gerard, the function generates cryptographic keys that are less than 48 bits of entropy regardless of the entropy level of the seed. The JavaScript function then runs the alphanumeric key through the obsolete RC4 algorithm, which is generally considered predictable. The predictability makes the private key vulnerable to brute-force hacking.