A newly discovered vulnerability in the Libbitcoin Explorer 3.x library has allowed over $900,000 to be stolen from Bitcoin users, according to a report from blockchain security firm SlowMist. The vulnerability can also affect users of Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash and Zcash who use Libbitcoin to generate accounts.
SlowMist Security Alert
Recently, #Distrust discovered a severe vulnerability affecting cryptocurrency wallets using the #Libbitcoin Explorer 3.x versions. This vulnerability allows attackers to access wallet private keys by exploiting the Mersenne Twister pseudo-random…
— SlowMist (@SlowMist_Team) August 10, 2023
Libbitcoin is a Bitcoin wallet implementation that developers and validators sometimes use to create Bitcoin (BTC) and other cryptocurrency accounts. According to its official website, it is used by “Airbitz (mobile wallet), Bitprim (developer interface), Blockchain Commons (decentralized wallet identity), Cancoin (decentralized exchange)” and other applications. SlowMist did not specify which applications that use Libbitcoin, if any, are affected by the vulnerability.
Cointelegraph reached out to the Libbitcoin Institute through email but had not received a comment at the time of publication.
SlowMist identified cybersecurity team “Distrust” as the team that originally discovered the loophole, which is called the “Milk Sad” vulnerability. It was reported to the CEV cybersecurity vulnerability database on Aug. 7.
According to the post, the Libbitcoin Explorer has a faulty key generation mechanism, allowing private keys to be guessed by attackers. As a result, attackers exploited this vulnerability to steal over $900,000 worth of crypto as of Aug. 10.
SlowMist emphasized that one attack in particular siphoned away over 9.7441 BTC (approximately $278,318). The firm claims to have “blocked” the address, implying that the team has contacted exchanges to prevent the attacker from cashing out the funds. The team also stated that it will be monitoring the address in case funds are moved elsewhere.
Four members of the Distrust team, along with eight freelance security consultants who claim to have helped discover the vulnerability, have set up an informational website explaining the vulnerability. They explained that the loophole is created when users employ the “bx seed” command to generate a wallet seed. This command “uses the Mersenne Twister pseudorandom number generator (PRNG)…
Click Here to Read the Full Original Article at Cointelegraph.com News…