A new vulnerability in the Libbitcoin Explorer 3.x library has led to the theft of over $900,000 worth of Bitcoin from users, as reported by blockchain security firm SlowMist. This bug also impacts users of Ethereum, Ripple, Dogecoin, Solana, Litecoin , Bitcoin Cash, and Zcash who have generated accounts using the Libbitcoin library.
Libbitcoin is utilized by developers and validators to create cryptocurrency accounts. It finds applications in various platforms, including mobile wallets like "Airbitz," developer interfaces such as "Bitprim," decentralized wallet identity through "Blockchain Commons," and de centralized exchanges like "Cancoin .”SlowMist did not specify which applications using Libbitcoin were affected by the vulnerability.
SlowMist Technology confirmed that the "Distrust" network security team initially discovered the flaw, referred to as the "Milk Sad" vulnerability. The vulnerability was reported to the CEV cybersecurity vulnerability database on August 7.
The issue lies in the flawed key generation mechanism of Libbitcoin Explorer. This flaw enables attackers to guess private keys, resulting in the theft of cryptocurrencies worth more than $900,000 as of August 10. SlowMist revealed that one of the attacks managed to steal over 9.7441 BTC , roughly equivalent to $278,318. The company claims to have taken action to "block" the address, which means they've contacted the exchange to prevent the attacker from cashing out. The team is also actively monitoring the address for any movement of the funds .
The Distrust team, along with freelance security consultants, has established an informative website explaining the vulnerability. They detail that the vulnerability occurs when a user generates a wallet seed using the "bxseed" command. This command employs a Mersenne Twister pseudo-random number generator (PRNG) initialized with 32-bit system time, leading to insufficient randomness. Consequently, the same seed can sometimes be generated for multiple users. The vulnerability was discovered when a Libbitcoin user's BTC disappeared mysteriously on July 21. Further investigation revealed that other users' cryptocurrencies had also been stolen.
In response, Libbitcoin developer Peter Voskuil stated that the "bx seed" command is not intended for production wallets and is meant to demonstrate behavior requiring entropy. However, he mentioned considering strengthening the warning for production use or potentially removing the command in the future.
Cryptocurrency wallet vulnerabilities continue to pose challenges for users in 2023. The Atomic Wallet suffered a hack in June, resulting in a loss of over $100 million. In July, cybersecurity certification platform CER released wallet security rankings, indicating that only a small fraction of wallet Brands conduct penetration testing to uncover vulnerabilities.
