- Libbitcoin vulnerability sees hackers stealing close to $1 million from Bitcoin users according to reports.
- Libbitcoin Institute member Eric Voskuil is said to have reported that bx seed is not meant to be used in production wallets.
Libbitcoin, a Bitcoin wallet implementation used by developers and validators to create crypto accounts, has been compromised according to blockchain security firm SlowMist. Investigation into the vulnerability of the Libbitcoin Explorer 3.x library disclosed that more than $900,000 has so far been stolen from Bitcoin users. Users of other cryptos including Ethereum, Dogecoin, Ripple, Solana, Bitcoin Cash, Litecoin, and Zcash who use Libbitcoin for their accounts are reportedly not safe and are advised to transfer all funds to secure wallets.
We strongly advise all users utilizing the Libbitcoin Explorer 3.x versions to immediately cease using the affected wallets and transfer funds to secure wallets. Be sure to use a verified, secure random number generation method to generate new wallets.
The blockchain security firm explains that the vulnerability stems from the implementation of the pseudo-random number generator (PRNG) in the Libbitcoin Explorer 3.x versions. Upon assessment, it was observed that implementation used the Mersenne Twister algorithm as well as utilizing 32 bits of system time as seed. This means threat actors would need just a few days to brute force the private keys of users.
Libbitcoin is currently used by Airbitz (mobile wallet), Cancoin (decentralized exchanges), Blockchain Commons (decentralized wallet Identity), etc. However, none of these were specified to be affected by the vulnerability.
More on the Libbitcoin Vulnerability
In a report found on the CVE cybersecurity vulnerability database, the Libbitcoin Explorer was said to have a faulty key generation mechanism. This makes it easier for threat actors to guess private keys. According to SlowMist, hackers made away with 9.7441 BTC ($278,318) in one attack. The initial action was to contact exchanges to prevent the attacker from withdrawing the funds.
A Distrust team which had four members and eight freelancers was said to have discovered the vulnerability. According to them, a loophole is created whenever a user executes the “bx seed” command to generate a wallet seed. The command in most cases generates the same seed for multiple persons. In other words, it lacks sufficient randomness. The whole discovery was said to have begun when a Libbitcoin user contacted them about the mysterious disappearance of his Bitcoin on July 21. The user earlier reached out to other Libbitcoin users for explanations on why his wallet is empty without a trace, only to find out that “he was not alone.”
Following these concerns, reporters reached out to Libbitcoin Institute member Eric Voskuil for a comment. Interestingly, he clarified that the “bx seed” is not meant to be used in production wallets. Rather, it is intended as “a convenience for when the tool is used to demonstrate behavior that requires entropy.” He further stated that if people used it for production key seeding, then the warning is not sufficient. For now, they intend to make changes in a few days by either removing the command altogether or strengthening the warning against production use.
Wallet vulnerabilities have contributed to millions of dollars lost on various exchanges. In June, the hack of Atomic Wallet saw hackers stealing about $100 million. Most of these are linked to negligence. Cybersecurity certification platform CER recently disclosed that only 6 out of 45 wallet brands used penetration testing to uncover vulnerabilities.
Recommended for you:
- Buy Bitcoin Guide
- Bitcoin Wallet Tutorial
- Check 24-hour Bitcoin Price
- More Bitcoin News
- What is Bitcoin?
Subscribe to our daily newsletter!
No spam, no lies, only insights. You can unsubscribe at any time.
