● Weak signature nonces discovered: a preprint paper by researchers Joachim Breitner and Nadia Heninger describes how they discovered hundreds of Bitcoin private keys by looking for signatures generated using nonces with less than the expected entropy of 256 bits. Independent code archaeology by Gregory Maxwell indicates that the main culprit was probably the BitPay Bitcore software which introduced a bug around July 2014 and released a fix about a month later. (Note: BitPay Bitcore is unrelated to Bitcoin Core.) From there, the bug propagated to software such as BitPay Copay that depended upon Bitcore. About 97% of the faulty signatures found in the paper are compatible with Maxwell’s Copay hypothesis, and the paper provides plausible explanations for most of the remaining 3% of signatures, indicating that users of modern wallets are probably safe provided they do not continue to use addresses whose bitcoins they spent using earlier vulnerable programs.

If you ever used an affected version of Bitcore (0.1.28 to 0.1.35), Copay (0.4.1 to 0.4.3), or other vulnerable software, you should create a new wallet file, send all of your funds from the old wallet file to an address in the new wallet, and discontinue use of the previous wallet file. When designing software that signs Bitcoin transactions, you should prefer to use peer-reviewed implementations that generate signature nonces deterministically, such as libsecp256k1 which implements RFC6979.

The fast analysis method employed by the authors of the paper took advantage of users who engaged in address reuse, but even keys for addresses that have not been reused are vulnerable to attack if the nonce generation is biased or too small. This can be either through using the same method for keys that were used multiple times (e.g. for Replace-By-Fee) or through simply brute-forcing using the baby-step giant-step or Pollard’s Rho methods.