SlowMist discovers Bitcoin wallet loophole that leads to hackers stealing $900K worth of crypto.
Newly discovered Bitcoin wallet loophole let hackers steal $900K — SlowMist

Exploring the Milk Sad Vulnerability in Libbitcoin

A recently discovered security flaw in the Libbitcoin Explorer 3.x library has enabled attackers to steal more than $900,000 worth of crypto from Bitcoin users, according to blockchain security firm SlowMist. This vulnerability can also affect users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who use Libbitcoin to generate accounts.

Libbitcoin is a Bitcoin wallet implementation used by developers and validators to create Bitcoin (BTC) and other cryptocurrency accounts. According to its official website, it is used by “Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (decentralized wallet identity), Cancoin (decentralized exchange)” and other applications. SlowMist did not specify which applications that use Libbitcoin, if any, are affected by the vulnerability.

SlowMist identified cybersecurity team “Distrust” as the team that initially discovered the loophole, which is called the “Milk Sad” vulnerability. It was reported to the CEV cybersecurity vulnerability database on Aug. 7.

According to the post, the Libbitcoin Explorer has a faulty key generator ai, allowing private keys to be guessed by attackers. This has enabled attackers to exploit the vulnerability and steal over $900,000 worth of crypto as of Aug. 10.

Crypto Vulnerability Discovered

SlowMist recently reported that an attack had drained 9.7441 BTC (roughly $278,318) from a crypto wallet. The company stated that they had “blocked” the address, implying that exchanges had been contacted to prevent the attacker from cashing out. The firm will be monitoring the address in the event that funds are moved elsewhere.

Four members of the Distrust team, with the assistance of eight freelance security consultants, created an informational website to explain the vulnerability. They discovered that the loophole is created when users use the “bx seed” command to generate a wallet seed. This command utilizes the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time, which is not random enough and sometimes produces the same seed for multiple people.

The issue was brought to the team’s attention when a Libbitcoin user reported that their BTC had gone missing on July 21. After reaching out to other Libbitcoin users to try to determine what had happened, they found that others had also had their BTC siphoned away.

Cointelegraph contacted Libbitcoin Institute member Eric Voskuil for comment. Voskuil stated that the bx seed command “is provided as a convenience for when the tool is used to demonstrate behavior that requires entropy” and is not intended to be used in production wallets. He added that if people had used it for production key seeding, then the warning was insufficient. Voskuil concluded that they would likely make changes in the following days to strengthen the warning against production use, or remove the command altogether.

In June, Atomic Wallet users suffered a cyber attack that cost them over $100 million, which was reported by the app’s team on June 22. In July, CER, a cybersecurity certification platform, released its wallet security rankings and only six out of 45 wallet brands used penetration testing to detect vulnerabilities. Despite the efforts of the NFT crypto and OGN crypto communities, wallet vulnerabilities remain a major issue for crypto users in 2023.

Categorized in:

Tagged in: