Why the name ‘Milk Sad’?
milk sad were the first two words from the first seed phrase of this broken key generation process.
Why this page?
This page is meant to increase awareness of this type of vulnerability, involving weak cryptographic systems due to inadequate sources of randomness, and help users protect their funds. Weak randomness is something that’s easy to get wrong, and is unfortunately so common that one can frequently find software engineering books teaching this topic incorrectly. We hope this example can motivate developers and users to be more vigilant when dealing with generating sensitive cryptographic material.
I had my cryptocurrency assets stolen and I believe it may be due to this vulnerability. What should I do?
Contact your local authorities. Look into how you generated your wallet in the first place, and if
bx was involved at all.
You can use the lookup service we developed to check if your wallet is impacted by this specific problem.
We do not have your funds.
Has law enforcement been notified?
Yes. If you’re in the US, American Federal Agents have been notified of the issue and the extent of the currently known impact. Further disseminating this information to your country’s authorities may prove helpful.
Have there been similar vulnerabilities in the past?
I created my wallet with
bx seed, but my funds are still there – which versions were vulnerable?
All versions of
3.6.0 have weak entropy generation. Additionally, we have some indication that the initial
sx newseed and some
2.x versions behave insecurely on some systems. We recommend quickly moving all funds on wallets created with
bx seed regardless of the original version and assuming the worst.
bx to generate my wallets but only use it for non-BTC coins, do I need to worry?
Yes. All funds stored on BIP39 mnemonic secrets or BIP32 wallet seeds are affected since the underlying private keys are basically public now.
bx to handle some wallet secrets, but generated them elsewhere, do I need to worry?
The identified problem is limited to the entropy generation functionality. We’re not aware of serious issues in other
bx commands that operate on existing wallets. If you are 100% sure you generated the wallet elsewhere, you should be okay.
Is my hardware wallet affected?
- If you generated your BIP39 mnemonic secret on a hardware wallet, you should be fine.
- We are not aware of any hardware wallet with similarly broken wallet generation - Trezor, Ledger, and other hardware wallets do not use the affected Libbitcoin code.
- If you imported a vulnerable wallet into other software wallets or hardware wallets, they cannot protect you.
Is the vulnerability currently fixed in
We are not aware of a fix. At the time of disclosure, our understanding is that the Libbitcoin team considers this not to be a vulnerability. See this section in our disclosure.
libbitcoin-explorer 3.8.0 fixed the issue by removing the problematic entropy generation command.
Would a security patch fix this problem?
Only for new wallets. All funds stored using previously generated wallets will remain vulnerable, and need to be migrated to a new secure wallet.
How do the researchers involved in this project personally protect their crypto assets?
The team members use a wide array of commercially available hardware wallets as well as custom built solutions, while some do not have crypto-assets at all.
In a nutshell, what are your personal “lessons learned”?
See lessons learned.
Is my major exchange cold storage impacted?
If it doesn’t rely on
bx seed, then we have no indications for it.
Do you have any general advice for avoiding this type of flaw?
- If you are non-technical, don’t try to store large amounts of crypto assets yourself without consulting security experts.
- If you are highly technical and lazy or not well informed on security topics, don’t try to store large amounts of crypto assets yourself.
- Don’t trust closed source solutions, or open source solutions no one credible has reviewed recently.
- Use a hardware wallet, but add a passphrase for good measure.
Any recommendations for experts?
We could fit an entire book of advice here, but some top of mind items:
- Generate keys you care about offline:
- Distrust provides AirgapOS for offline operations.
- Use a BIP39 passphrase with 128 bit entropy or higher, generated completely independently from your mnemonic.
- Ensure your key is actually random:
- Derive addresses with two independent platforms:
- E.g. hardware wallet + airgapped CLI tools should agree on addresses.
- Review the entire code path to your mnemonic/passphrase:
- Be aware of the kernel version and
random.calgorithm you are using.
- Be aware of the kernel version and
- Document every tool and line of code in your key generation path.
Do you accept donations?
Can I hire any of you?
Sure! If you like our work, check out the following commercial services offered by different team members and organizations.
- Distrust, LLC
- Infosec firm focusing on high risk clients
- Pentesting, threat modeling, hands-on security engineering
- Full stack security evaluations and advisory retainer contracts
- Covers: Shane Engelman, Anton Livaja, Ryan Heywood, and Lance Vick
- Christian Reitter
- Freelance InfoSec Consultant
- Pentesting, Code Audits, Security Research, Fuzzing
- Heiko Schaefer
- Focus on OpenPGP: OpenPGP CA, Sequoia PGP, OpenPGP on HSM devices (OpenPGP card, PKCS #11, PIV)