Why the name ‘Milk Sad’?

milk sad were the first two words from the first seed phrase of this broken key generation process.

Why this page?

This page is meant to increase awareness of this type of vulnerability, involving weak cryptographic systems due to inadequate sources of randomness, and help users protect their funds. Weak randomness is something that’s easy to get wrong, and is unfortunately so common that one can frequently find software engineering books teaching this topic incorrectly. We hope this example can motivate developers and users to be more vigilant when dealing with generating sensitive cryptographic material.

I had my cryptocurrency assets stolen and I believe it may be due to this vulnerability. What should I do?

Contact your local authorities. Look into how you generated your wallet in the first place, and if bx was involved at all.

You can use the lookup service we developed to check if your wallet is impacted by this specific problem.

We do not have your funds.

Has law enforcement been notified?

Yes. If you’re in the US, American Federal Agents have been notified of the issue and the extent of the currently known impact. Further disseminating this information to your country’s authorities may prove helpful.

Have there been similar vulnerabilities in the past?

Yes, this issue is very similar to Trust Wallet, CVE-2023-31290, see the blog post from Ledger Donjon. Other related vulnerabilities are listed in the write-up.

I created my wallet with bx seed, but my funds are still there – which versions were vulnerable?

All versions of bx 3.0.0 to 3.6.0 have weak entropy generation. Additionally, we have some indication that the initial sx newseed and some bx 2.x versions behave insecurely on some systems. We recommend quickly moving all funds on wallets created with bx seed regardless of the original version and assuming the worst.

I used bx to generate my wallets but only use it for non-BTC coins, do I need to worry?

Yes. All funds stored on BIP39 mnemonic secrets or BIP32 wallet seeds are affected since the underlying private keys are basically public now.

I used bx to handle some wallet secrets, but generated them elsewhere, do I need to worry?

The identified problem is limited to the entropy generation functionality. We’re not aware of serious issues in other bx commands that operate on existing wallets. If you are 100% sure you generated the wallet elsewhere, you should be okay.

Is my hardware wallet affected?

Is the vulnerability currently fixed in libbitcoin-explorer?

We are not aware of a fix. At the time of disclosure, our understanding is that the Libbitcoin team considers this not to be a vulnerability. See this section in our disclosure.

Update: libbitcoin-explorer 3.8.0 fixed the issue by removing the problematic entropy generation command.

Would a security patch fix this problem?

Only for new wallets. All funds stored using previously generated wallets will remain vulnerable, and need to be migrated to a new secure wallet.

How do the researchers involved in this project personally protect their crypto assets?

The team members use a wide array of commercially available hardware wallets as well as custom built solutions, while some do not have crypto-assets at all.

In a nutshell, what are your personal “lessons learned”?

See lessons learned.

Is my major exchange cold storage impacted?

If it doesn’t rely on bx seed, then we have no indications for it.

Do you have any general advice for avoiding this type of flaw?

Any recommendations for experts?

We could fit an entire book of advice here, but some top of mind items:

Do you accept donations?


Can I hire any of you?

Sure! If you like our work, check out the following commercial services offered by different team members and organizations.