In late July and August 2023, a team of fellow researchers and I rushed to understand, write up and publish a serious cryptocurrency wallet creation issue in the
bx software tool that left victims exposed to remote & automated wide-scale theft of funds.
The coordinated theft of assets that happened on 2023-07-12, during which
bx user’s funds were targeted among with other weak wallet types, amounted to millions of dollars in damages across hundreds of victims and various blockchains and coin types.
We found that the core issue for
bx was the usage of the unsuited
Mersenne Twister Pseudo Random Number Generator (PRNG) algorithm, which led to cryptocurrency assets being stored on what is essentially a “32 bit number in a trench coat”, instead of a strong private key. Anyone with knowledge of the issue and a moderate amount of computing power could reverse these without any access to the victim’s computer and use the recovered private keys to move funds away. We gave this vulnerability the codename
Milk Sad after the first weak BIP39 mnemonic key output, and worked frantically during a short period of 2 1/2 weeks between detection and disclosure to learn, research and explore what we could about the issue and its backstory. Our motivation was to help users saving their remaining funds and understand the problem, and help developers fix and prevent issues like this for the future.
You can read the results in the full disclosure writeup.
For “normal” software vulnerabilities, most of the research work is done after identifying, reproducing, classifying and disclosing them.
Not in this case - exploring the complex and wide-reaching impacts of the vulnerability is a huge task, with practical challenges for coding the necessary custom tooling and analyzing the results. I’m investing a lot of research time to further understand and publish new information on
Milk Sad and previous similar vulnerabilities as a series of research updates, since they’re both fascinating and under-reported. Head over there if you want to read more!