WalletGenerator, according to the published data, it seems that the private key generator contains some anomalies.
Harry Denley, a researcher in the security department of the well-known wallet MyCrypto.com (a fork of MyEtherWallet), has carried out an in-depth study of a website used to generate paper wallets.
In fact, by performing several tests, the same private keys were generated several times, even on different PCs and browsers.
Private keys of paper wallets at risk of duplication
Harry Denley has found that the tool used to achieve the proper rate of entropy using some of the components derived from the client exhibits some malfunctioning.
In detail, it seems that the system responsible for generating random data has stopped using one of the two sets (the one coming from the client, which is the user’s PC) since August 17th, 2018.
As a result, several private keys have been generated using the same internal set of pseudo-random data, with a high probability that multiple users have obtained the same SEED.
According to the tests carried out, using the tool directly from the Github repository, a thousand different private keys have been correctly generated.
However, using the WalletGenerator website between May 18th and 23rd, 2019, only 120 unique keys were generated out of a thousand attempts.
The tests were performed with different devices, using different VPNs, browsers and locations, but the system only used the internal pseudo-casual data set rather than the client one.
That’s why Harry only got 120 unique SEEDs. The tests were carried out again on May 24th and, strangely enough, no anomalies were recorded. However, it may be a coincidence.
“We’re still considering this highly suspect and still recommending users who generated public/private keypairs after August 17, 2018, to move their funds. We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable”.
