Milk Sad - How Weak Entropy can Ruin Your Savings (CVE-2023-39910)
In late July and August 2023, a team of fellow researchers and I rushed to understand, write up and publish a serious cryptocurrency wallet creation issue in the Libbitcoin Explorer
bx
software tool that left victims exposed to remote & automated wide-scale theft of funds.
The coordinated theft of assets that happened on 2023-07-12, during which bx
user’s funds were targeted among with other weak wallet types, amounted to millions of dollars in damages across hundreds of victims and various blockchains and coin types.
We found that the core issue for bx
was the usage of the unsuited Mersenne Twister
Pseudo Random Number Generator (PRNG) algorithm, which led to cryptocurrency assets being stored on what is essentially a “32 bit number in a trench coat”, instead of a strong private key. Anyone with knowledge of the issue and a moderate amount of computing power could reverse these without any access to the victim’s computer and use the recovered private keys to move funds away. We gave this vulnerability the codename Milk Sad
after the first weak BIP39 mnemonic key output, and worked frantically during a short period of 2 1/2 weeks between detection and disclosure to learn, research and explore what we could about the issue and its backstory. Our motivation was to help users saving their remaining funds and understand the problem, and help developers fix and prevent issues like this for the future.
You can read the results in the full disclosure writeup.
For “normal” software vulnerabilities, most of the research work is done after identifying, reproducing, classifying and disclosing them.
Not in this case - exploring the complex and wide-reaching impacts of the vulnerability is a huge task, with practical challenges for coding the necessary custom tooling and analyzing the results. I’m investing a lot of research time to further understand and publish new information on Milk Sad
and previous similar vulnerabilities as a series of research updates, since they’re both fascinating and under-reported. Head over there if you want to read more!