A security researcher from MyCrypto.com, Harry Denley, has posted a detailed â and damning â analysis of paper wallet site WalletGenerator.net.
The core of the analysis hinges on WalletGeneratorâs original open-source code, available here. Until August 17, 2018 the online code matched the open-source code and the entire project generated wallets using a client-side technique that took in real random entropy and produced a unique wallet. But sometime after that date the two sets of code stopped matching.
The result? The very real possibility that WalletGenerator is giving the same keys to multiple users. To test this, MyCryptoâs researcher ran the generator in bulk and got some odd results.
âApproaching from a different angle, we then used the âBulk Walletâ generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.
However, using WalletGenerator.net at various times between May 18, 2019âââMay 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.â
While the odd behavior was not found as of last Friday (May 24), it could be return at any time.
âWeâre still considering this highly suspect and still recommending users who generated public / private keypairs after August 17, 2018, to move their funds,â the researcher says. âWe do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.â
You can read the entire report here, but Denley recommends moving funds off of your WalletGenerator-based paper wallets. As there is no clear way to contact the âtwo random guy [sic] having fun with a side projectâ who apparently run the site, we can safely recommend you avoid the site altogether.
Code image via Shutterstock
