A severe vulnerability in the Libbitcoin Explorer 3.x library has resulted in the theft of over $900,000 worth of cryptocurrencies, according to a report from blockchain security firm SlowMist. This vulnerability not only affects Bitcoin users but also Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash users who generate accounts using the Libbitcoin library.
Libbitcoin is a popular Bitcoin wallet implementation used by various applications such as Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (decentralized wallet identity), Cancoin (decentralized exchange), and more. SlowMist did not specifically mention which applications utilizing Libbitcoin are impacted by the vulnerability.
The discovery of this vulnerability was credited to the cybersecurity team “Distrust,” who reported it to the CEV cybersecurity vulnerability database on August 7. SlowMist labeled the vulnerability as the “Milk Sad” vulnerability, indicating that the Libbitcoin Explorer has a flawed key generation mechanism, making it possible for attackers to guess private keys. Exploiting this vulnerability, attackers have managed to steal over $900,000 worth of cryptocurrencies as of August 10.
SlowMist highlighted one particularly alarming attack in which over 9.7441 BTC (approximately $278,318) was stolen. To prevent the attacker from cashing out the funds, SlowMist claims to have “blocked” the address, and they will continue to monitor it in case the funds are transferred elsewhere.
Related Post
The Distrust team, along with eight freelance security consultants who assisted in discovering the vulnerability, have created an informational website (milksad.info) to explain the specifics of the vulnerability. They revealed that the vulnerability arises when users utilize the “bx seed” command to generate a wallet seed. This command relies on the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time, which lacks sufficient randomness and can generate the same seed for multiple users.
The researchers encountered the vulnerability when a Libbitcoin user reported their BTC mysteriously disappearing on July 21. Upon reaching out to other Libbitcoin users, they discovered that others had also experienced cryptocurrency theft.
In response to the situation, Eric Voskuil, a member of the Libbitcoin Institute, clarified that the “bx seed” command is designed for demonstrating behavior that requires entropy but is not intended for use in production wallets. Voskuil acknowledged the need for a stronger warning against using it for production key seeding and stated that they would likely make changes in the coming days to address this issue.
This incident highlights the ongoing problem of wallet vulnerabilities in the cryptocurrency industry. In June, over $100 million was lost in a hack of the Atomic Wallet, confirmed by the app’s team. A report by cybersecurity certification platform CER in July revealed that only six out of 45 wallet brands undergo penetration testing to identify vulnerabilities.
It is crucial for cryptocurrency users to remain vigilant and take steps to secure their wallets and accounts. This includes using wallets from reputable providers, keeping software and systems up to date, enabling two-factor authentication, and storing funds offline in cold storage wallets whenever possible. Additionally, it is essential to regularly monitor accounts and report any suspicious activity to the relevant authorities or security firms.
