A problem in generating keys in Libbitcoin led to a large-scale theft of cryptocurrency.
A recently revealed vulnerability in the Libbitcoin Explorer 3.x library allowed attackers to steal more than $ 900,000 from bitcoin users, according to a report by SlowMist, a blockchain security firm. The vulnerability could also affect users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who use Libbitcoin to create accounts.
"SlowMist security warning. Recently, Distrust discovered a serious vulnerability affecting cryptocurrency wallets that use versions of Libbitcoin Explorer 3. x. This vulnerability allows attackers to gain access to the wallet's private keys using the Mersenne Twister pseudorandom number generator (PRNG), which leads to real consequences, " SlowMist (@SlowMist_Team) reported on August 10, 2023.
Libbitcoin is a bitcoin wallet implementation that developers and validators sometimes use to create accounts in Bitcoin (BTC) and other cryptocurrencies. The official website states that it is used by " Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (identification of a decentralized wallet), Cancoin (decentralized exchange)" and other applications. SlowMist did not specify which applications using Libbitcoin are vulnerable.
The vulnerability, dubbed "Milk Sad", was first discovered by the "Distrust" cybersecurity team. This was reported to the CEV cybersecurity vulnerability database on August 7.
It is reported that Libbitcoin Explorer has a defective key generation mechanism that allows hackers to guess private keys. As a result, hackers used this vulnerability to steal more than $ 900,000 worth of cryptocurrency as of August 10.
SlowMist noted that one of the attacks resulted in the theft of more than 9.7441 BTC (about $ 278,318). The company said that it "blocked" the address, that is, contacted the exchanges to prevent the hacker from withdrawing funds. The team also said it will monitor the address in case funds are moved elsewhere.
Four members of the Distrust team and eight external security consultants who claim to have helped find the vulnerability have created an information site that explains the vulnerability. They said that the problem occurs when users use the "bx seed" command to create a seed phrase for their wallet. This command "uses a Mersenne Twister pseudo-random number generator (PRNG) initialized with 32 bits of system time", which does not provide enough randomness and sometimes creates the same seed phrase for different people.
The researchers also reported that they discovered the vulnerability when a Libbitcoin user approached them for help, as his BTC mysteriously disappeared on July 21. Upon investigation, they found that other Libbitcoin users also experienced a loss of funds.
Eric Vosquil, a member of the Libbitcoin Institute, said that the bx seed team is "provided for convenience when the tool is used to demonstrate entropy-demanding behavior" and is not recommended for use in production wallets.
"If people really used it to fill out production keys (as opposed to, for example, playing dice), then the warning is not enough," Voskuil said. In this case: "We will probably make some changes over the next few days to reinforce the warning against use in a production environment, or remove the command altogether."
A recently revealed vulnerability in the Libbitcoin Explorer 3.x library allowed attackers to steal more than $ 900,000 from bitcoin users, according to a report by SlowMist, a blockchain security firm. The vulnerability could also affect users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who use Libbitcoin to create accounts.
"SlowMist security warning. Recently, Distrust discovered a serious vulnerability affecting cryptocurrency wallets that use versions of Libbitcoin Explorer 3. x. This vulnerability allows attackers to gain access to the wallet's private keys using the Mersenne Twister pseudorandom number generator (PRNG), which leads to real consequences, " SlowMist (@SlowMist_Team) reported on August 10, 2023.
Libbitcoin is a bitcoin wallet implementation that developers and validators sometimes use to create accounts in Bitcoin (BTC) and other cryptocurrencies. The official website states that it is used by " Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (identification of a decentralized wallet), Cancoin (decentralized exchange)" and other applications. SlowMist did not specify which applications using Libbitcoin are vulnerable.
The vulnerability, dubbed "Milk Sad", was first discovered by the "Distrust" cybersecurity team. This was reported to the CEV cybersecurity vulnerability database on August 7.
It is reported that Libbitcoin Explorer has a defective key generation mechanism that allows hackers to guess private keys. As a result, hackers used this vulnerability to steal more than $ 900,000 worth of cryptocurrency as of August 10.
SlowMist noted that one of the attacks resulted in the theft of more than 9.7441 BTC (about $ 278,318). The company said that it "blocked" the address, that is, contacted the exchanges to prevent the hacker from withdrawing funds. The team also said it will monitor the address in case funds are moved elsewhere.
Four members of the Distrust team and eight external security consultants who claim to have helped find the vulnerability have created an information site that explains the vulnerability. They said that the problem occurs when users use the "bx seed" command to create a seed phrase for their wallet. This command "uses a Mersenne Twister pseudo-random number generator (PRNG) initialized with 32 bits of system time", which does not provide enough randomness and sometimes creates the same seed phrase for different people.
The researchers also reported that they discovered the vulnerability when a Libbitcoin user approached them for help, as his BTC mysteriously disappeared on July 21. Upon investigation, they found that other Libbitcoin users also experienced a loss of funds.
Eric Vosquil, a member of the Libbitcoin Institute, said that the bx seed team is "provided for convenience when the tool is used to demonstrate entropy-demanding behavior" and is not recommended for use in production wallets.
"If people really used it to fill out production keys (as opposed to, for example, playing dice), then the warning is not enough," Voskuil said. In this case: "We will probably make some changes over the next few days to reinforce the warning against use in a production environment, or remove the command altogether."
