Another Round of Reused R Values Leads to More Stolen Bitcoins

BitcoinTalk user johoe has found more Bitcoin signatures with repeated R values or “nonces,” a vulnerability allowing him to steal coins from wallets associated with the bad signatures. However, johoe’s goal is to exploit security flaws to make Bitcoiners aware, and wants to give money back to the people who can prove ownership of the bad addresses. […]
BitcoinTalk user johoe has found more Bitcoin signatures with repeated R values or “nonces,” a vulnerability allowing him to steal coins from wallets associated with the bad signatures. However, johoe’s goal is to exploit security flaws to make Bitcoiners aware, and wants to give money back to the people who can prove ownership of the bad addresses. […]

BitcoinTalk user johoe has found more Bitcoin signatures with repeated R values or “nonces,” a vulnerability allowing him to steal coins from wallets associated with the bad signatures. However, johoe’s goal is to exploit security flaws to make Bitcoiners aware, and wants to give money back to the people who can prove ownership of the bad addresses.

Also read: BigUp Looks Forward to Future Development After Early Adoption

Repeating R Values Leaves Bitcoiners Vulnerable

Bitcoinist_Zero-day Exploit Johoe discovered at least 149 keys associated with the vulnerable signature, and he reports that “at least 87 [keys] are compromised now.” “Most keys are related to 1BTrViTDX…” he says, “in the sense that they are inputs in the same transaction.”

On BitcoinTalk, johoe said that he used a bot to sweep the compromised keys, giving him possession of the bitcoins stored on the associated addresses. He says that “if you can prove that is is your address, you can contact me to get the collected funds back.” He also warns the would-be victims not to use the compromised addresses again, because “there will probably be other persons setting up bots soon…”

For those who lost funds in this exploit and want to get them back, johoe says that they can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b. The address doesn’t seem to be compromised, but johoe warns that it should not be used anymore since it has been exposed.

The BitcoinTalk member does not think the current repeated R values are coming from a hardware wallet, since they all now use deterministic signatures. He speculates that the problem could be coming from “a bad random number generator,” or that someone could have “cloned the random state (e.g. by cloning a virtual machine or forking process) or maybe even another openssl problem.” He says that based on the observed patterns, a cloned virtual machine is the most likely suspect.

Johoe says that this is the first time the repeated nonces issue has appeared since December 2014.

Johoe gained the attention of the Bitcoin community in April of 2014 when he first discovered the repeated nonce vulnerability that allowed him to sweep private keys. The exploit was due to reused R values on the blockchain. Upon discovering this vulnerability, johoe swept several private keys, but announced on BitcoinTalk that he would return the coins to people who could prove ownership of compromised addresses.

Were you affected by this latest repeated nonce vulnerability? Let us know in the comments below!


Images courtesy of The Pandora Society, Shutterstock.