HomeNews

Blockchain.info – Spending Bug

Blockchain.info – Spending Bug

Another bug has been discovered with the Blockchain.info wallet system. There was an old wallet for a client that had not been used for a while and contained many inputs from faucets among other things, a total value of 3 USD. Moving these coins to a new wallet seemed trivial. Upon trying to move the funds however, it threw an error. Looking at the address on the blockchain showed 0.0028 BTC, wheras the wallet application states 0.003 BTC was present.

Manually exporting the recovery phrase and then sending the coins to another wallet was the ultimate solution and it worked, showing the correct balance when we did so. Blockchain.info previously had a bug which involved reusing random values when signing transactions, meaning anyone scanning the blockchain could deduce the private key of such transactions, a known weakness in the ECDSA algorithm used by Bitcoin. This was seemingly fixed, but here have been reports surfacing of reused R values on the blockchain again. An ethical hacker sweeped affected wallets the first time this took place and returned the funds to users.

While online wallets are fine for spare change, they are not good practice for storage of coins long term. The best solution is a hardware wallet, or an electrum 2FA wallet (with the seed stored securely). Hardware wallets are even more secure than paper wallets, as you must import a paper wallet to a PC to use it, the private keys never leave a hardware wallet. In this case blockchain.info was showing a balance that wasn’t there. The funds were successfully moved pending confirmation, likely to take a while due to the sheer number of inputs.

Be cautious when using any online wallet, although bugs can happen to anybody. It took my client a while to figure out why the transaction was not happening and required my advice on the subject. And while it was a small amount, in my clients currency it would be enough to buy staples for the week.

 

 

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *