A vulnerability in the Libbitcoin Explorer 3.x library has led to the theft of over $900,000 from Bitcoin users.
Blockchain security firm SlowMist reported the issue.
It could also affect users of other digital currencies like Ethereum (ETH), Ripple (XRP), Dogecoin (DOGE), Solana (SOL), Litecoin (LTC), Bitcoin Cash (BCH), and Zcash that employ Libbitcoin to create accounts.
Libbitcoin is a Bitcoin wallet implementation used by various applications, including Airbitz, Bitprim, Blockchain Commons, and Cancoin. SlowMist did not specify which applications are affected by the vulnerability.
The vulnerability, known as the “Milk Sad,” was first discovered by the cybersecurity team “Distrust” and reported to the CEV cybersecurity vulnerability database on Aug. 7. It involves a faulty key generation mechanism in the Libbitcoin Explorer, which allows attackers to guess private keys.
The attackers exploited this vulnerability to steal over $900,000 worth of crypto, including a single attack that siphoned away over $278,318
SlowMist claims to have “blocked” the address, implying that they have contacted exchanges to prevent the attacker from cashing out the funds. They will also be monitoring the address in case funds are moved elsewhere.
The Distrust team and eight freelance security consultants have set up an informational website explaining the vulnerability. They have found that the vulnerability occurs when users generate a wallet seed using the “bx seed” command, which lacks sufficient randomness and can produce the same seed for multiple users.
The vulnerability was discovered when a Libbitcoin user reported missing BTC on July 21. More digging showed that other users were having their Bitcoin stolen similarly.
Eric Voskuil, a member of the Libbitcoin Institute, stated that the “bx seed” command is not intended for production wallets, and changes may be made to strengthen the warning against its use or remove the command altogether.
Wallet vulnerabilities remain a problem for crypto users in 2023, with over $100 million lost in a hack of the Atomic Wallet in June. According to the wallet security rankings released by CER in July, nly six out of 45 wallet brands employ penetration testing to discover vulnerabilities.