Milk Sad Disclosure
A practical explanation of how weak entropy can ruin your day - and your savings.
- We discovered a cryptographic weakness in the widely utilized
bx) cryptocurrency wallet tool while following up on mysterious wallet thefts.
bx seedsubcommand for generation of new wallet private key entropy is flawed and produces insecure output.
bx seeduses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time.
- Bad actors have discovered this flaw and are actively exploiting it to steal funds from affected wallets on multiple blockchains.
- We have reasons to believe some
Libbitcoin Explorerversions before
3.0.0also produce weak
bx seedoutput in some system environments.
- Think of this as securing your online bank account with a password manager that creates a long random password, but it often creates the same passwords for every user. Malicious people have figured this out and drained funds on any account they can find.
- Popular documentation like “Mastering Bitcoin” suggests the usage of
bx seedfor wallet generation.
- Secure cryptography requires a source of large, non-guessable numbers. If the random number generator is weak, the resulting cryptographic usage is almost always compromised.
- For technical people: in this case, practical wallet security is reduced from 128 bit, 192 bit or 256 bit to a mere 32 bit of unknown key information.
- A 32 bit key space is 2^32, or 4,294,967,296 different unique combinations of derived BIP39 mnemonic phrases or other key formats (BIP32). Spoiler: That’s not as many combinations as it sounds.
- With enough optimizations, a decent gaming PC can do a brute-force search through 2^32 wallet combinations in less than a day.
bxhas a configurable output length and can be used in several ways, there are a few variations the attacker needs to test for each case. This slows down practical attacks to a few days.
- Once an attacker finds a match of a wallet candidate with an actual wallet used on a blockchain, they are in full possession of the private keys and can steal remaining funds, trace all previous wallet history and sign messages.
- The attack works independent of the owner’s current copy of the wallet secrets. In other words, even if you keep your paper wallet in a bank safe, your funds can still be stolen remotely. Crazy, right?
- Attackers are actively exploiting this and have been draining funds of wallets where the mnemonic was generated using this tool.
- Why the silly “Milk Sad” name? Running
3.xversions with a system time of 0.0 always generates the following secret:
milk sad wage cup reward umbrella raven visa give list decorate bulb gold raise twenty fly manual stand float super gentle climb fold park
The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023.
A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story.
We did not identify who is behind the ongoing thefts from vulnerable wallets.
- CVE-2023-31290 - vendor advisory and Ledger Donjon’s technical writeup
- CVE-2024-23660 - SECBIT Labs’ technical disclosure writeup
Team & Credits
- Core Team
- Special Thanks
- Jack Kearney - Turnkey
- Several trusted advisors that wish to remain uncredited. You know who you are.