Milk Sad Disclosure

A practical explanation of how weak entropy can ruin your day - and your savings.

Vulnerability CVE-2023-39910

• We discovered a cryptographic weakness in the widely utilized Libbitcoin Explorer (bx) cryptocurrency wallet tool while following up on mysterious wallet thefts.
• The bx seed subcommand for generation of new wallet private key entropy is flawed and produces insecure output.
• On Libbitcoin Explorer 3.x versions, bx seed uses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time.
• Bad actors have discovered this flaw and are actively exploiting it to steal funds from affected wallets on multiple blockchains.
• We have reasons to believe some Libbitcoin Explorer versions before 3.0.0 also produce weak bx seed output in some system environments.
• Think of this as securing your online bank account with a password manager that creates a long random password, but it often creates the same passwords for every user. Malicious people have figured this out and drained funds on any account they can find.

How?

Mastering Bitcoin - Second Edition by Andreas M. Antonopoulos LLC is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

• Popular documentation like “Mastering Bitcoin” suggests the usage of bx seed for wallet generation.
• Secure cryptography requires a source of large, non-guessable numbers. If the random number generator is weak, the resulting cryptographic usage is almost always compromised.
• For technical people: in this case, practical wallet security is reduced from 128 bit, 192 bit or 256 bit to a mere 32 bit of unknown key information.
• A 32 bit key space is 2^32, or 4,294,967,296 different unique combinations of derived BIP39 mnemonic phrases or other key formats (BIP32). Spoiler: That’s not as many combinations as it sounds.
• With enough optimizations, a decent gaming PC can do a brute-force search through 2^32 wallet combinations in less than a day.
• Since bx has a configurable output length and can be used in several ways, there are a few variations the attacker needs to test for each case. This slows down practical attacks to a few days.
• Once an attacker finds a match of a wallet candidate with an actual wallet used on a blockchain, they are in full possession of the private keys and can steal remaining funds, trace all previous wallet history and sign messages.
• The attack works independent of the owner’s current copy of the wallet secrets. In other words, even if you keep your paper wallet in a bank safe, your funds can still be stolen remotely. Crazy, right?
• Attackers are actively exploiting this and have been draining funds of wallets where the mnemonic was generated using this tool.
• Why the silly “Milk Sad” name? Running bx seed on 3.x versions with a system time of 0.0 always generates the following secret:

  milk sad wage cup reward umbrella raven visa give list decorate bulb gold raise twenty fly manual stand float super gentle climb fold park

When?

The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023.

A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story.

Who?

We did not identify who is behind the ongoing thefts from vulnerable wallets.

Type

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Vendor

Libbitcoin

Further Reading

See our technical writeup, research updates and FAQ.

Related Vulnerabilities

Trust Wallet:

• CVE-2023-31290 - vendor advisory and Ledger Donjon’s technical writeup
• CVE-2024-23660 - SECBIT Labs’ technical disclosure writeup

Contact

• General requests and comments: email team@milksad.info
• Press: email press@milksad.info

Team & Credits

• Core Team
  • Distrust
    • Anton Livaja - anton@distrust.co
    • Lance R. Vick - lance@distrust.co, https://lance.dev
    • Ryan Heywood - ryan@distrust.co, https://ryansquared.pub
    • Shane Engelman - shane@distrust.co
  • Independent
    • Christian Reitter - https://inhq.net
    • Daniel Grove - danny@dannygrove.com
    • Dustin Johnson - milksad@di0.io
    • Heiko Schaefer - heiko@schaefer.name
    • James Callahan - james@wavesquid.com
    • Jochen Hoenicke - https://jhoenicke.de
    • John Naulty - jnaulty@dendritictech.com
    • Matthew Brooks - *@logicwax.com
• Special Thanks
  • Jack Kearney - Turnkey
  • Several trusted advisors that wish to remain uncredited. You know who you are.