Milk Sad Disclosure

A practical explanation of how weak entropy can ruin your day - and your savings.

Vulnerability CVE-2023-39910

How?

Mastering Bitcoin - Second Edition by Andreas M. Antonopoulos LLC is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

When?

The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023.

A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story.

Who?

We did not identify who is behind the ongoing thefts from vulnerable wallets.

Type

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Vendor

Libbitcoin

Further Reading

See our technical writeup, research updates and FAQ.

Trust Wallet:

Contact

Team & Credits