According to blockchain security firm SlowMist, a recent vulnerability in the Libbitcoin Explorer 3.x library has led to the loss of about $900,000 worth of Bitcoin. This problem also affects anyone who use Libbitcoin to store other cryptocurrencies like Ethereum, Ripple, Dogecoin, and others.
The Mersenne Twister pseudo-random number generator (PRNG) vulnerability seen in versions of Libbitcoin Explorer 3.x was noted by SlowMist’s Security Alert, which was published on August 10, 2023.
When generating Bitcoin accounts, developers and validators frequently turn to Libbitcoin. Even though SlowMist hasn’t identified the damaged apps, notable programs that depend on Libbitcoin include Airbitz, Bitprim, Cancoin, and others.
The security hole, dubbed “Milk Sad,” was discovered by Distrust’s cybersecurity team on August 7 and added to the CVE cybersecurity vulnerability database.
Due to Libbitcoin Explorer’s defective key generating procedure and the vulnerability, it has been revealed that hackers have been able to guess private keys. By August 10, over $900,000 in Bitcoin had been stolen.
Lost BTC Sparks Action: Unveiling Flaw & Potential Changes
9.7441 BTC (or around $278,318) were lost as a consequence of a specific assault. By banning the stolen address, alerting exchanges to prevent fund transfers, and pledging to ongoing surveillance, SlowMist quickly took action.
To reveal the problem, the Distrust team worked with outside security professionals to develop an informative website. The “bx seed” command, which employs a PRNG with inadequate randomization, is the vulnerability.
It’s interesting that the researchers stumbled into this weakness while looking into the mysterious loss of BTC on July 21. Their investigation turned up more Libbitcoin users who were experiencing monetary losses.
The warning wouldn’t be enough, according to Voskuil, if users were really using it to populate production keys (instead of, say, playing dice). He recommended possible improvements to the warning or the elimination of the order altogether.