Bitcoin exchange Bitstamp has temporarily halted withdrawals and emailed users a warning about using old deposit addresses. Earlier today, Bitstamp noticed an issue with their hot wallet and stopped processing withdrawals and is not honoring deposits made to old Bitcoin deposit addresses. According to Bitstamp, the private keys to old deposit addresses may have been lost.
Bitstamp users have been unable to withdraw bitcoins for over 24 hours and though Bitstamp has confirmed the issue, the extent of the damage has yet to be officially revealed.
UPDATE: Wallet Breach Causes Bitcoin Exchange Bitstamp to Temporarily Suspend Service.
Some are comparing this situation to the Mt. Gox implosion, and though lost bitcoins are involved in both scenarios, the comparison is too rash. In the case of Mt. Gox, we are just now hearing confirmation that 99% of the missing Gox bitcoins were likely siphoned off due to fraud by an unknown party. Just after going under in early 2014, Mt. Gox “found” 200,000 bitcoins that were previously claimed to be lost. More specifically, the corresponding private key was recovered and found to be usable. A Bitstamp source has told CoinFire:
We are working to determine what has gone wrong. The majority of our coins are swept and placed in cold storage often so this shouldn’t be a major issue right now but we are still working to determine the breadth of the issue. This seems to be a server issue and not a compromise but our teams are still investigating.
Bitstamp Deposits Issue
Currently, if you try to deposit bitcoins to Bitstamp, you will be greeted with an emergency warning:
The BitStamp team has also emailed its verified users:
Today our transaction processing server detected problems with our hot wallet and stopped processing withdrawals.
You should STOP SENDING bitcoin deposits to your Bitstamp account IMMEDIATELY as private keys of your deposit address may be lost.
Your bitcoins already deposited with us are stored in a cold wallet and can not be affected.
We will send you more info as soon as possible.
In the bitcoin world, the word “lost” has a special but familiar meaning. In the average person’s day-to-day life, if a significant amount of cash (yes, a Fiat currency example) is “lost” in public, the previous owners of said currency are probably correct to assume that their cash is lost, to them, but likely found, by someone else. Cash, like bitcoin, is more or less fungible, which means that lost likely means stolen.
Bitstamp a Victim of Weak RNG?
Speaking speculatively, Dogecoin creator Jackson Palmer observed that the reported issues suggest very specific attack vectors, none of which immediately signify the Bitcoin apocalypse or Gox 2.0. He highlighted two possibilities:
- DB was compromised that held the old pub/private keys.
- Deposit addresses were being used by a not truly random number generator (RNG). Ie. Someone realizes a pattern, is able to do an R-value attack like Blockchain.info was hit with.
As Palmer noted, a predictable random number generator is also what allowed johoe to steal 800 bitcoins from Blockchain.info wallets a few weeks ago. johoe was kind enough to return the bitcoins to Blockchain.info and raise awareness about the potential weak-RNG attack vector. If there was a weakness in the random number generator used to create deposit addresses, it is possible that the Bitcoin private keys corresponding to certain Bitstamp deposit addresses could be generated by a malicious third party. Palmer continued:
If it was an RNG attack then changes are they could have been getting skimmer for a while.
In this instance, the only affected accounts would belong to those that use their Bitstamp bitcoin deposit address in an automated fashion, such as for mining payouts or other regular deposits. Both depositing in such a manner and keeping any funds on any exchange account have long been considered un-secure for Bitcoin storage and widely discouraged. On the other hand, Some users have been experiencing deposit irregularities that suggest an outdated/manual system for months now.
Images from Shutterstock.