New Vulnerabilities In Libbitcoin Explorer 3.x Allow Theft Of More Than IDR 13.5 Billion From Bitcoin Users

Bitcoin is vulnerable to theft in Libbitcoin Explorer 3.x library (photo: dock. Pixabay)

JAKARTA - A new vulnerability found in the Libbitcoin Explorer 3.x library has allowed more than 900.000 US dollars (Rp 13.5 billion) to be stolen from Bitcoin users, according to a report from blockchain security firm SlowMist. This vulnerability can also affect Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash users who use Libbitcoin to generate accounts.

Libbitcoin is the implementation of Bitcoin wallets that developers and validators sometimes use to create Bitcoin accounts and other cryptocurrencies. According to its official website, it is used by "Airbitz (cellular wallets), Bitprim (developer interfaces), Blockchain Commons (decentralized wallet identities), Cancoin (decentralized exchanges)" and other applications. SlowMist does not mention what app uses Libbitcoins affected by this vulnerability.

SlowMist identified the cybersecurity team "Distust" as the team that first discovered this loophole, called the "Milk Sad" vulnerability. A report on this vulnerability was reported to the CEV cybersecurity vulnerability database on August 7.

According to the post, Libbitcoin Explorer has a defective key generation mechanism, which allows attackers to predict personal keys. As a result, the attacker took advantage of this vulnerability to steal more than 900.000 US dollars in crypto on August 10.

SlowMist stressed that one special attack managed to steal more than 9,7441 BTC (approximately 278,318 US dollars). The company claims to have "blocked" the address, which implies that the team has contacted the exchange to prevent attackers from disbursing funds. The team also stated that they would continue to monitor the address if funds were moved elsewhere.

Four members of the Disust team, along with eight freelance security consultants who claim to have helped find this vulnerability, have created an informative website that explains its vulnerability. They explain that this loophole occurs when users use the "bx feed" order to generate a wallet feed.

The order "uses a fake random number generator Mersenne Twister which is initialized with 32 bits of system time," which lacks adequate randomness and sometimes produces the same seed for some.

The researchers claim to have found a vulnerability when they were contacted by a Libbitcoin user whose BTC mysteriously disappeared on July 21. When the user contacted other Libbitcoin users to try to find out how BTC could disappear, the person discovered that other users had also experienced BTC theft.

Cointelegraph tried to contact Libbitcoin Institute member Eric Voskuil to provide comment. In response, Voskuil stated that the "bx seeds" order was "available as convenience when the tool was used to demonstrate behavior that requires entropy" and is not meant to be used in production wallets.

"If people really use it for production key nursery (as opposed to rolling dice for example), then the warning is inadequate," Voskuil said. "In that case, we will most likely make some changes in the next few days to strengthen warnings about production use, or remove the order altogether."

The wallet vulnerability continues to be a problem for crypto users in 2023. More than $100 million was lost in the Atomic Wallet hack in June, which the app team recognized on June 22. CER's cybersecurity certification platform released its wallet security rating in July, noting that only six of the 45 wallet brands used penetration testing to find vulnerabilities.