Bitcoin wallet provider Blockchain has warned of a bug in Google’s Android software which it believes led to duplicate address generation for its mobile wallets.
When Bitcoin’s software is operated as intended, the probability of generating an address that already exists is so low that it is practically impossible. An address consists of 34 alphanumeric characters. Accounting for some constraints, there are 2^160 (approx. 1.46*10^48) permutations of possible addresses.
Bitcoin wallet software often relies on the random number generation capabilities (entropy) of its host operating system to generate addresses, almost certain to be unique. In general, it is not considered necessary to validate the address with the network to ensure that it does not yet exist. Addresses can be generated offline.
How Automation is Helping China’s Traders Compete with the WorldGo to article >>
Blockchain has warned that the entropy on Android 4.1 “Jelly Bean” or older was insufficient, and in certain versions of its mobile wallet, a specific address was generated multiple times. This led to losses of funds for a handful of users. The frequency of the phenomenon was described as “rare”.
The company has released a new version of its Android wallet and has encouraged users to download it. As an additional precaution, funds sitting in potentially impacted addresses should be sent to new addresses not affected by the flaw. The old addresses should also be archived to avoid potential reuse.
Those impacted are also asked to contact to the support team. It was not specified if those experiencing losses with be refunded.
Blockchain, also known as blockchain.info, was one of the original Bitcoin wallet providers but has since experienced some technical issues. Late last year, wallets were created with recycled ‘R-values’ in formulas that generate random numbers, allowing the private keys to be calculated from the public keys. A white hat hacker who detected the flaw salvaged much of the funds at risk before they were stolen. Around the same time, clients experienced losses through a series of phishing and man-in-the-middle (MITM) attacks.