A timewarp attack on Bitcoin allows malicious miners to game the timestamp system to allow them to increase the rate of block generation beyond what the blockchain meant it to be. This attack has been possible since 2012 and was demonstrated on the testnet.
This was dismissed as an unimportant issue for the past few years as it requires the majority of hashrate and is easily blocked once someone starts using it.
Another Cryptocurrency wallet, boasting next generation security has been released. The proprietary, Lumi Wallet has been identified as either a scam or simply an insecure application. In a blog post by wallet developer Daniel Staudigel the security flaws of Lumi Wallet were examined. According to Staudigel:
I know something is off — “truly private” and “web wallet” and “extremely secure” are impossible to have for the same product. If something is a web wallet, it’s definitely not extremely secure (see recent DNS attacks for MyEtherWallet), and it’s highly unlikely to be “truly private” due to technical limitations of the web.
The hardware wallet maker Ledger published news regarding the next firmware update for the ledger blue, their premium hardware wallet released after the Nano S, which recieved only one firmware update since it’s launch :
Despite being a premium hardware wallet – the Blue received just one firmware update, as the Nano S received three. Rightly, many members of our community have been wondering about the future of the Ledger Blue, and asking us when we will build out new features through firmware updates. We’re sorry we kept you waiting so long
Trezor released a new feature that allows users to test the seed backup through the trezor wallet user interface. The seed is the 12 or 24 unique words you need to safely store and which are used to deterministically generate all private keys in HD Wallets. Quote:
Starting today, you can rest easy, without necessarily needing to wipe and launch the setup process all over again. In the TREZOR Wallet user interface, just go to device settings by clicking on your device name, and then select Advanced > Check recovery seed. Follow the instructions and, in the end, the device will tell you the status of your recovery seed. Then, you can be confident that your seed is correct, or you will know for sure you need to generate a new one.
Some concerns were raised on
bitcoin-dev
regarding potential vulnerabilities with some Javascript based crypto
applications, more precisely the use of SecureRandom()
function which
collects entropy and includes a PRNG (Pseudo Random Number
Generator).
TL;DR
The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015