A report from information security firm Distrust disclosed a vulnerability present in the Bitcoin development toolkit Libbitcoin, potentially putting a number of crypto wallets at risk of being drained unexpectedly by exploiters.
The vulnerability, called “Milk Sad” because they were the first two words of the seed phrase created by the issue, was discovered when two crypto wallet users learned that their Bitcoin had been stolen at the very same minute on-chain.
If you generated a wallet using Libbitcoin's Bitcoin Explorer, including as described in the appendix to Mastering Bitcoin, your funds are at risk (or already stolen).
Full details: https://t.co/Crlw63lUr4
— David A. Harding (@hrdng) August 8, 2023
A team of investigators narrowed the root cause to a vulnerability generated by Libitcoin explorer BX that uses a broken time-based pseudorandom function to generate seed phrases when creating a wallet.
“Anyone can re-compute and find a victim’s originally used entropy after a maximum of about 4.29 billion attempts if they have specific characteristics to look for to see if they successfully found a cryptocurrency wallet,” wrote researchers at Distrust.
To put things into perspective, the researchers noted that brute-forcing this key space would take just a few days of computation on an average gaming PC and could be performed by anyone with sufficient programming skills.
So far, the investigators found that at least $900,000 worth of crypto has been stolen across multiple blockchains, and 2,600 Bitcoin wallets were impacted by the theft.
The Distrust team said they attempted to contact the Libbitcoin team about the issue on July 22 but were told that the team was too busy to respond, a few days later. When the team of investigators provided them with more context and technical details on Aug. 3, the Libbitcoin team responded by saying they did not feel the issue should be characterized as a bug.
they didn’t even need a cryptographer like me to tell them that this a cascade of fantastically stupid blunders, literally the wikipedia page for the mersenne twister PRNG has a bullet point saying “this is not cryptographically secure” like they could have just read wikipedia pic.twitter.com/98P3m5eUox
— isis osiris agora lovecruft (they/them) (@isislovecruft) August 9, 2023
The report notes that besides BTC, thefts of other tokens such as ETH, XRP, DOGE, SOL, LTC, BCH and ZEC had also been confirmed. However, the scope of impact is still yet to be determined, according to Anton Livaja, a member of the Distrust team, who said $1 million is the lower bound of estimated funds stolen.
According to Eric Voskuil, BX’s lead developer, the issue is not the result of a bug in BX or Libbitcoin, but rather the result of “reckless wallet development.”
I have been informed by the folks at https://t.co/Ja1L3PDloF that they have filed a CVE against Libbitcoin. Apparently a wallet product used a BX command in a manner explicitly warned against. This is not a bug in BX or Libbitcoin, it is reckless wallet development. pic.twitter.com/QGlCHB6XQX
— Eric Voskuil (@evoskuil) August 7, 2023
Voskuil claims that wallet developers were explicitly warned against using BX commands in a certain manner, referring to the GitHub documentation that states “pseudorandom seeding can introduce cryptographic weakness into your keys.”
However, investigators at Distrust deemed this “single warning” as insufficient to address the risks present.
“The wording ‘can introduce’ is quite weak and a user may not be aware that this produces a seed that is completely insecure and should not be used to store anything of value,” said the Distrust team in the report.