A critical flaw in the Libbitcoin Explorer 3.x library was identified, leading to the unauthorized access and theft of over $900,000 in various cryptocurrencies such as Bitcoin, Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash. The vulnerability, known as “Milk Sad,” was uncovered by the cybersecurity group “Distrust” and subsequently reported to the CEV cybersecurity vulnerability database on August 7, 2023.
Blockchain security firm SlowMist, released a detailed report on the vulnerability on X, stating:
🚨SlowMist Security Alert🚨
Recently, #Distrust discovered a severe vulnerability affecting cryptocurrency wallets using the #Libbitcoin Explorer 3.x versions. This vulnerability allows attackers to access wallet private keys by exploiting the Mersenne Twister pseudo-random…
— SlowMist (@SlowMist_Team) August 10, 2023
The core of the vulnerability lay in Libbitcoin Explorer’s key generation process, where a defect allowed attackers to predict private keys. The issue was attributed to the Mersenne Twister pseudorandom number generator (PRNG) being initialized with only 32 bits of system time, resulting in inadequate randomness. This occasionally led to the generation of identical seeds for different users, thereby exposing their private keys.
CZ Binance, the CEO of Binance, commented on the situation via X, emphasizing the risks associated with self-custody wallets, stating:
Self custody wallets are not without risks. I am supportive of self custody, IF you know what you are doing. Stay #SAFU!
CZ further explained the vulnerability, highlighting that it was due to the random number generator using a 32-bit seed, which is not sufficiently random against modern cracking methods such as GPUs. He reassured that Trustwallet and Binance wallets do not use this method for seed phrase generation, emphasizing the importance of understanding the underlying technology when using self-custody wallets.
Notably, one particular attack that exploited this vulnerability resulted in the theft of over 9.7441 BTC, valued at roughly $278,318. SlowMist has stated that the address involved has been blocked, suggesting collaboration with exchanges to inhibit the attacker from liquidating the stolen funds. The firm would continue to monitor the situation for any movement of the funds.
In related news, the Cypher Protocol recently froze its smart contract after a $1 million exploit. The wrongdoer successfully obtained roughly 38,530 Solana tokens and an estimated $123,184 in USD Coin (USDC), accumulating a total sum of $1,035,203. These assets were moved to a wallet thought to be connected with the exploit.