A significant vulnerability has been discovered in the Libbitcoin Explorer 3.x library, resulting in the theft of over $900,000 from Bitcoin users, as reported by blockchain security firm SlowMist. This vulnerability also poses a threat to users of other cryptocurrencies such as Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash who utilize Libbitcoin for generating accounts.
The Libbitcoin implementation is frequently used by developers and validators to create Bitcoin and other cryptocurrency accounts. Various applications like Airbitz, Bitprim, Blockchain Commons, and Cancoin rely on this implementation. However, SlowMist did not specify which applications using Libbitcoin are affected by the vulnerability.
Cointelegraph reached out to the Libbitcoin Institute for comment but has not received a response at the time of writing.
The vulnerability, named the “Milk Sad” vulnerability, was initially discovered by the cybersecurity team called “Distrust” and reported to the CEV cybersecurity vulnerability database on August 7. It appears that the Libbitcoin Explorer has a flawed key generation mechanism, enabling attackers to guess private keys. Exploiting this vulnerability, attackers have stolen more than $900,000 worth of cryptocurrencies as of August 10.
SlowMist highlighted one particular attack that resulted in the theft of over 9.7441 BTC, equivalent to approximately $278,318. The firm claims to have taken action by blocking the attacker’s address and contacting exchanges to prevent the funds from being cashed out. They also mentioned their commitment to monitoring the address in case the funds are moved elsewhere.
To shed light on the vulnerability, members of the Distrust team and eight freelance security consultants have created an informational website called “Milksad.info.” The website explains that the loophole occurs when users employ the “bx seed” command to generate a wallet seed. This command utilizes the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time, lacking sufficient randomness and leading to the creation of identical seeds for multiple individuals.
The researchers from Distrust came across the vulnerability when they were contacted by a Libbitcoin user who had lost their BTC mysteriously on July 21. Upon reaching out to other Libbitcoin users, they discovered that these users were also experiencing the siphoning away of their BTC.
The incident highlights the ongoing problem of wallet vulnerabilities for cryptocurrency users in 2023. In June, a hack of the Atomic Wallet resulted in the loss of over $100 million, as acknowledged by the app’s team. Furthermore, in July, the cybersecurity certification platform CER released its wallet security rankings, revealing that only six out of 45 wallet brands undergo penetration testing to identify vulnerabilities.
Crypto users must remain vigilant and take necessary precautions to secure their wallets in order to safeguard their assets from such vulnerabilities and attacks.
Source link