A critical vulnerability in the Libbitcoin Explorer 3.x library has resulted in the theft of over $900,000 from cryptocurrency users, according to a report from blockchain security firm SlowMist. This vulnerability not only affects Bitcoin users, but also the users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who rely on Libbitcoin to generate their accounts.
Libbitcoin is a widely used Bitcoin wallet implementation that is utilized by various applications such as Airbitz, Bitprim, Blockchain Commons, and Cancoin. However, it is unclear which specific applications using Libbitcoin are impacted by this vulnerability.
Cointelegraph reached out to the Libbitcoin Institute for comment but did not receive a response at the time of publication. SlowMist credited a cybersecurity team called “Distrust” for discovering the vulnerability, which has been labeled the “Milk Sad” vulnerability. The team reported the vulnerability to the CEV cybersecurity vulnerability database on August 7.
According to SlowMist’s findings, the Libbitcoin Explorer suffers from a flawed key generation mechanism, which allows attackers to guess private keys. As a result, attackers have exploited this vulnerability to steal over $900,000 in cryptocurrencies as of August 10.
In one specific attack, SlowMist identified that an attacker siphoned away over 9.7441 BTC, equivalent to approximately $278,318. The firm claims to have blocked the attacker’s address and has contacted exchanges to prevent the funds from being cashed out. Additionally, SlowMist stated that they will continue monitoring the address in case the funds are transferred elsewhere.
To provide more information about the vulnerability, members of the Distrust team, along with eight freelance security consultants who contributed to its discovery, have set up a dedicated website called “milksad.info.” The website explains that the vulnerability occurs when users utilize the “bx seed” command to generate a wallet seed. This command relies on the Mersenne Twister pseudo-random number generator (PRNG), which, when initialized with 32 bits of system time, lacks sufficient randomness and may produce the same seed for multiple users.
The Distrust team became aware of the vulnerability after a Libbitcoin user reported mysteriously missing BTC on July 21. Upon contacting other Libbitcoin users, they discovered that similar thefts were occurring. This prompted their investigation, leading to the discovery of the Milk Sad vulnerability.
This incident underscores the ongoing challenges faced by cryptocurrency users regarding wallet security. In June, the Atomic Wallet experienced a hack that resulted in the loss of over $100 million. Wallet security rankings released by cybersecurity certification platform CER in July revealed that only six out of 45 wallet brands employ penetration testing to detect vulnerabilities.
As the cryptocurrency landscape continues to evolve, it is crucial for users to remain vigilant and choose wallets that prioritize rigorous security measures. Additionally, developers and validators should regularly update their systems and libraries to address potential vulnerabilities, thus safeguarding user funds from potential exploitation.