• Fri. May 24th, 2024

900K Lost: Milk Sad & Libbitcoin

Avatar photo

ByMarcel Bich

Sep 6, 2023
900K Lost: Milk Sad & Libbitcoin
Marcel Bich
Latest posts by Marcel Bich (see all)

According to blockchain security firm SlowMist, a recent vulnerability in the Libbitcoin Explorer 3.x library has led to the loss of about $900,000 worth of Bitcoin. This problem also affects anyone who use Libbitcoin to store other cryptocurrencies like Ethereum, Ripple, Dogecoin, and others.

The Mersenne Twister pseudo-random number generator (PRNG) vulnerability seen in versions of Libbitcoin Explorer 3.x was noted by SlowMist’s Security Alert, which was published on August 10, 2023.

When generating Bitcoin accounts, developers and validators frequently turn to Libbitcoin. Even though SlowMist hasn’t identified the damaged apps, notable programs that depend on Libbitcoin include Airbitz, Bitprim, Cancoin, and others.

The security hole, dubbed “Milk Sad,” was discovered by Distrust’s cybersecurity team on August 7 and added to the CVE cybersecurity vulnerability database.

Due to Libbitcoin Explorer’s defective key generating procedure and the vulnerability, it has been revealed that hackers have been able to guess private keys. By August 10, over $900,000 in Bitcoin had been stolen.

Lost BTC Sparks Action: Unveiling Flaw & Potential Changes

9.7441 BTC (or around $278,318) were lost as a consequence of a specific assault. By banning the stolen address, alerting exchanges to prevent fund transfers, and pledging to ongoing surveillance, SlowMist quickly took action.

To reveal the problem, the Distrust team worked with outside security professionals to develop an informative website. The “bx seed” command, which employs a PRNG with inadequate randomization, is the vulnerability.

It’s interesting that the researchers stumbled into this weakness while looking into the mysterious loss of BTC on July 21. Their investigation turned up more Libbitcoin users who were experiencing monetary losses.

The “bx seed” command is just for demonstration reasons, not for use with live wallets, according to Eric Voskuil of the Libbitcoin Institute.

The warning wouldn’t be enough, according to Voskuil, if users were really using it to populate production keys (instead of, say, playing dice). He recommended possible improvements to the warning or the elimination of the order altogether.

 
Avatar photo

Marcel Bich

Marcel ‘s passion for the world of cryptocurrencies and his comprehensive knowledge of blockchain technology make him an invaluable asset to our team. He stays updated on the latest trends, regulations, and emerging technologies in the crypto space, ensuring that our audience receives accurate and up-to-date information.