Blockchain security firm SlowMist has uncovered a severe vulnerability in a widely-used JavaScript elliptic encryption library, posing a major security risk to crypto wallets, identity authentication systems, and Web3 applications.
According to the firm’s March 5 post on X, the flaw, if exploited, could allow attackers to reverse engineer private keys, potentially giving them full control over users’ digital assets and credentials. It claimed that the vulnerability affects popular crypto wallets such as MetaMask, Trust Wallet, Ledger, and Trezor, along with numerous Web3 applications that rely on elliptic curve encryption for secure transactions.
SlowMist stated that the flaw is linked to the Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA relies on three key components to generate a digital signature: the message being signed, the private key used for signing, and a unique random number (k), which ensures that even if the same message is signed multiple times, each signature remains distinct.
The firm highlighted that the issue arises when k is mistakenly reused for different messages. If this occurs, an attacker can exploit the repetition to derive the private key, ultimately compromising the security of the entire system.
This type of vulnerability has been exploited in the past. In July 2021, a similar weakness in ECDSA led to the compromise of the Anyswap protocol, where attackers leveraged weak signatures to forge transactions. The breach resulted in the theft of approximately $8 million.
Given the severity of the current flaw, SlowMist urged developers and users of affected platforms to take immediate action. It advised security teams to review their implementations of elliptic curve encryption, ensure proper randomness in signature generation, and apply patches as soon as possible to mitigate risks.
The discovery of this vulnerability came amid a sharp increase in cryptocurrency thefts. A report by blockchain analytics firm CertiK revealed that over $750 million worth of cryptocurrencies was stolen in the third quarter of 2024 due to phishing attacks and private key breaches.
Despite a decrease in the total number of security incidents to just over 150, the total amount lost increased by 9.5% compared to the previous quarter. CertiK estimated that hackers stole nearly $2 billion in 2024.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
