Milk Sad: Wallet Theft Enabled By Weak Entropy

"This is the story of a wallet theft enabled by bad cryptography. It covers our research on problems with Libbitcoin Explorer 3.x (CVE-2023-39910), outlines how it is related to the Trust Wallet vulnerability (CVE-2023-31290), and shows some of the real-world impact that we were able to confirm."

Milk Sad: Wallet Theft Enabled By Weak Entropy
  • "We discovered a cryptographic weakness in the widely utilized Libbitcoin Explorer (bx) cryptocurrency wallet tool while following up on mysterious wallet thefts. The bx seed subcommand for generation of new wallet private key entropy is flawed and produces insecure output."
"All versions of bx3.0.0 to 3.6.0 have weak entropy generation. Additionally, we have some indication that the initial sx newseed and some bx2.x versions behave insecurely on some systems. We recommend quickly moving all funds on wallets created with bx seed regardless of the original version and assuming the worst."
  • "Secure cryptography requires a source of large, non-guessable numbers. If the random number generator is weak, the resulting cryptographic usage is almost always compromised. On Libbitcoin Explorer 3.x versions, bx seed uses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time."
  • "CVE-2023-31290 was a similar vulnerability in Trust Wallet, see Ledger Donjon’s technical writeup."
  • milk sad were the first two words from the first seed phrase of this broken key generation process. Running bx seed on 3.x versions with a system time of 0.0 always generates the following secret:
  • "Popular documentation like “Mastering Bitcoin” suggests the usage of bx seed for wallet generation."
  • "Bad actors have discovered this flaw and are actively exploiting it to steal funds from affected wallets on multiple blockchains."
"We confirmed the practical use of the weak function for over 2600 cryptocurrency wallets on the Bitcoin Mainnet, and connected it to a recent large theft of cryptocurrency funds on multiple popular blockchains that amounts to an estimated $900k of damages."
  • "The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023. A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story."
datetransactiondestination addressmoved valuenote
2023-07-12 10:41593e11588a2529ed..3GMQRwh8Yz1WVftL..~5.053814 inputs
2023-07-12 10:4181cfe97cc16a4939..3LwDzjA1xH8amCHu..~9.744 BTC> 300 inputs
2023-07-12 10:41a22b33a9a4ca0de2..3D2mKf28exn26v7B..~14.847 BTC> 1200 inputs
"During our accelerated coordinated disclosure to the Libbitcoin team, the Libbitcoin team quickly disputed the relevancy of our findings and the CVE assignment. By our understanding, they consider bx seed a command that should never be used productively by any bx user since it is sufficiently documented as unsuited for safe wallet generation."
  • "We have reasons to believe some Libbitcoin Explorer versions before 3.0.0 also produce weak bx seed output in some system environments."
  • "I have been informed by the folks at that they have filed a CVE against Libbitcoin. Apparently a wallet product used a BX command in a manner explicitly warned against. This is not a bug in BX or Libbitcoin, it is reckless wallet development," said Eric Voskuil.
Warning label presented when using the tool.
  • Per Ledger's CTO Charles Guillemet, "most likely very few wallets are using this."

Full Writeup