One of the best articles I read this week was a Washington Post report that revealed how some Bitcoin wallets from the pre-2016 era have a major vulnerability that could let hackers guess their private key, which is the password that controls the wallet.
As the Post explains, the problem "stems from wallet programs that created cryptographic keys that weren’t random enough. Instead of crafting electronic keys that were one in a trillion and therefore very hard for an outsider to forge, they made keys that were one in some number of thousands—a randomness factor easily hacked."
In other words, hackers could use trial and error to guess the private key of these wallets and steal the contents. For now, the details of the vulnerability are only known by the security firm that discovered it, and they are not disclosing them for obvious reasons—but the firm made clear it's a matter of time till bad guys find it too.
While this sounds like a potential catastrophe, the fallout is likely to be relatively minor since the wallet flaw affects only certain pre-2016 wallets created by the firm Blockchain and a few others. Blockchain has been warning its customers so those affected have time to patch their wallet or move their Bitcoin somewhere else.
The most interesting question for me is what will become of the vulnerable wallets whose owners have long ago forgotten about them. There are likely more of these than we might imagine. I recall, for instance, a friend who briefly dated a guy who sent her a small amount of Bitcoin to try and get her interested in crypto—but who, understandably, promptly forgot about it soon after. No doubt there are many others in her situation since there are reportedly at least 4 million Bitcoins lost forever.
The irony is that the price of Bitcoin in 2015 was as low as $300 and is up 100-fold since then, which means even small amounts from that era are worth a healthy sum. The upshot is that news of the vulnerability will set off a race to recover all that forgotten Bitcoin—a race not unlike those expeditions that seek to find and recover sunken vessels that contain gold bars.
Unfortunately, those likely to win that race are nasty characters like the North Korean military hackers, who already spend their time trying to steal crypto. The Post reports there have been proposals for white hat hackers to steal the Bitcoin first and figure out a way to safeguard and distribute it. Alas, for now, the plan is not going forward due to fear of legal liability.
All of this a fine reminder of just how much the integrity of crypto depends on secure code. After 15 years without a hack, the code that runs Bitcoin itself can be considered all but bulletproof but, as ever, third parties who build around it can make mistakes. This is a lesson newer blockchain projects should take to heart.
Finally, speaking of hacking, FBI and Justice Department agents will be on hand at the Blockchain Association's Policy Summit in Washington, D.C. on Nov. 29–30. My colleague Leo Schwartz will be there too along with some big names from the world of politics—you can check out the details here.
Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts
