Yet another vulnerability leads to the loss of crypto worth thousands of dollars.
Blockchain security agency SlowMist recently unveiled a critical flaw within the Libbitcoin Explorer 3.x library, which has led to the unauthorized withdrawal of more than $900,000 from Bitcoin (BTC) enthusiasts.
The Libbitcoin Explorer, a preferred choice among developers and validators to establish Bitcoin and other cryptocurrency accounts, appears to be at the heart of the issue. Organizations like Airbitz, Bitprim, Blockchain Commons, and Cancoin are known to utilize Libbitcoin.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe – We publish new crypto explainer videos every week!
The vulnerability, dubbed the “Milk Sad,” came to light through the cybersecurity group “Distrust.” The issue has been flagged on the CEV cybersecurity vulnerability database since August 7th.
The flaw essentially resides in the Libbitcoin Explorer’s key creation protocol. It permits malicious entities to predict private keys, thereby gaining unauthorized access. This vulnerability was already exploited to steal over $900,000 in cryptocurrency, with one transaction draining over 9.7441 BTC, equating to approximately $278,318.
SlowMist has since taken proactive measures, collaborating with crypto exchanges to “block” the suspect address, thus thwarting the illicit conversion of these stolen funds.
Distrust, joined by an ensemble of freelance cybersecurity experts, has set up a platform dedicated to detailing this vulnerability. Their findings suggest that this flaw emerges when the “bx seed” command gets executed for generating a wallet seed.
This mechanism, reliant on “the Mersenne Twister pseudorandom number generator (PRNG), initialized with 32 bits of system time,” frequently generates identical seeds for different users due to its inadequacy in randomness.
When approached for insight, Eric Voskuil of the Libbitcoin Institute highlighted that the “bx seed” command was chiefly introduced as a tool to “demonstrate behavior that requires entropy” and was never envisioned for production wallets. Recognizing the possible oversight, Voskuil stated:
We’ll likely make some change within the next few days to strengthen the warning against production use, or remove the command altogether.
2023 continues to witness wallet vulnerabilities as a persistent challenge in the crypto realm. An earlier breach in June saw the Atomic Wallet being compromised, leading to a loss exceeding $100 million. With a mere six out of 45 wallet brands currently investing in penetration testing, there’s a pressing need for fortified cybersecurity measures within the crypto community.