A newly discovered vulnerability in the Libbitcoin Explorer 3.x library allowed the theft of more than $900,000 Bitcoin users, according to a report by blockchain security firm SlowMist. The vulnerability could also affect users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who use Libbitcoin to create accounts.
SlowMist Security Alert
newly, #Distrust Discover a serious vulnerability affecting cryptocurrency wallets using # Libitcoin 3.x Explorer versions. This vulnerability allows attackers to access wallet private keys through a pseudo-random Mersenne Twister exploit…
– SlowMist (SlowMist_Team) August 10, 2023
Libbitcoin is a Bitcoin wallet app that developers and validators sometimes use to create Bitcoin (BTC) and other cryptocurrency accounts. According to its official website, it is used by “Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (decentralized wallet identity), Cancoin (decentralized exchange)” and other applications. SlowMist did not specify which, if any, applications using Libbitcoin are affected by the vulnerability.
SlowMist has identified the “Distrust” cybersecurity team as the team that originally discovered the vulnerability, called the “Milk Sad” vulnerability. mentioned to the CEV Cyber Security Vulnerability Database on August 7.
According to the post, Libbitcoin Explorer has a faulty key generation mechanism, allowing attackers to guess private keys. As a result, attackers exploited this vulnerability to steal more than $900,000 in cryptocurrency as of August 10.
SlowMist emphasized that one attack in particular hijacked more than 9.7441 BTC (~$278,318). The company claims it “blocked” the address, meaning the team contacted the exchange to prevent the attacker from disbursing the funds. The team also stated that it would monitor the title in the event that funds were moved elsewhere.
Four members of the Distrust Team, along with eight independent security consultants who claim to have helped discover the vulnerability, have created an informational website to explain Weakness. They explain that the vulnerability arises when users use the “bx seed” command to generate a wallet seed. This command uses a “Mersenne Twister pseudo-random number generator (PRNG) configured with 32 bits of system time”, which lacks sufficient randomness and thus sometimes produces the same seed for multiple people.
The researchers claim to have discovered the vulnerability when contacted by a Libbitcoin user whose BTC mysteriously disappeared on July 21. When the user reached out to other Libbitcoin users to try to determine how BTC disappeared, the person found that other users had also siphoned BTC away.
Cointelegraph has reached out to Libbitcoin Institute member Eric Voskuil for comment. In response, Voskuil states that the bx seed command is “provided as a convenience when the tool is used to demonstrate entropy-demanding behavior” and is not intended for use in production portfolios. “If people do in fact use it to produce key seeding (as opposed to, say, rolling the dice), then the warning is insufficient,” Fosquell stated. In this case, “we will likely make some changes within the next few days to strengthen the warning against production use, or remove the command altogether.”
Wallet vulnerabilities continue to be an issue for crypto users in 2023. More than $100 million was lost in a June Atomic Wallet hack, which the app team acknowledged on June 22. Cybersecurity certification platform CER released its wallet security ratings in July, noting that only six out of 45 wallet brands use penetration testing to detect vulnerabilities.
Update (Aug 10 20:51 UTC): This article has been updated to include a comment from Eric Voskuil.