A security researcher from MyCrypto.com, Harry Denley, has uploaded a detailed analysis of paper wallet site WalletGenerator.net. It’s not a sight to behold for those procuring services from the platform.

The main focus of the analysis centers on WalletGenerator’s original open-source code. Everything was sailing smoothly until on August 17, 2018, when the online code matched the open-source code. The entire project generated wallets through a client-side technique that took in real random entropy and produced a unique wallet. However, since that date, the codes stopped matching.

Same keys to multiple users

What’s the issue? Well, it could be that WalletGenerator is giving the same keys to multiple users. So, MyCrypto’s researcher ran the generator in bulk to test the service and got some disturbing and damning results.

To quote the research paper, it tests the wallet by using “the ‘Bulk Wallet’ generator to generate 1,000 keys.” This action did not give any unusual responses as “in the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.”

The report went on to say:

“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.

This must be sour reading for the WalletGenerator.net founders and designers, who will have to work tirelessly to stop the menace now and in the future. This would only be furthered as the report goes on to advise users of the company to stage a mass exodus:

“We’re still considering this highly suspect and still recommending users who generated public / private key pairs after August 17, 2018, to move their funds,” the researcher adds, “We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.”

Just random guys having fun

Denley is clearly sending a stern warning to the site users. He also laments the lack of transparency in the company or accountability for the owners, calling them “two random guys” who are, “having fun with a side project.”

It is important to note that this incident is yet to reoccur, and no loss of funds has been reported, but the revelation is still a worrying prospect. Crypto wallets, paper or digital, should be the most secure thing and for it to be sending out the same keys is shocking. Although it could just be an anomaly, proceed with caution.