Milk Sad: /home

We’re a small team of security researchers looking into the practical problems of weak private keys in popular cryptocurrencies. Our primary focus are keys generated with weak entropy.

Libbitcoin Explorer CVE-2023-39910

Our initial group formed in July 2023 to follow up on mysterious wallet thefts.

• In 2023, we discovered that the Libbitcoin Explorer (bx) cryptocurrency wallet tool has a flawed entropy generation for new wallets.
• On vulnerable 3.x versions, bx seed used the weak Mersenne Twister pseudorandom number generator (PRNG) to produce cryptographic key material, which is a critical design error.
• Attackers had used this fatal flaw, and others like it in other wallet software, to steal large amounts of funds from victims on 12 July 2023 in ways that would otherwise be impossible.

Read on:

• Summary page - a better overview
• Technical writeup - the details
• FAQ - frequent questions

Current Research

After investigating CVE-2023-39910, a smaller team continued to look into other PRNG weaknesses. Interestingly, we found that the July 2023 theft involved more than one PRNG vulnerability.

Head over to the research updates section for everything that happened after August 2023.

Some highlights:

• Discovering wallets that previously held billions of USD value: part 3, part 2, part 1
• Discovering a cluster of over 225k weak wallets
• Our talk at the 38c3 conference
• Breaking a known-weak Cake Wallet PRNG and Analyzing former Cake Wallet usage
• Investigating Trust Wallet CVE-2024-23660
• Investigating Trust Wallet CVE-2023-31290
• Analyzing the vulnerable bip3x library

As part of this continued effort, we publish research data to help other researchers identify thefts and attackers on-chain. Our collection contains over 300k cryptocurrency addresses of weak wallets.

• General requests and comments: email team@milksad.info

Ethics

• Milk Sad research rule: we do not withdraw funds from cryptocurrency wallets that aren’t ours.
• As researchers, we’re mainly trying to shine a light at what happened, hoping to help avoid future disasters through more public awareness of the dangerous software flaws that caused them.

Why the silly “Milk Sad” name?

Running the vulnerable bx seed command with a system time of 0.0 always generates the following BIP39 secret:

milk sad wage cup reward umbrella raven visa give list decorate bulb gold raise twenty fly manual stand float super gentle climb fold park

Original 2023 Team & Credits

• Core Team
  • Distrust
    • Anton Livaja - anton@distrust.co
    • Lance R. Vick - lance@distrust.co, https://lance.dev
    • Ryan Heywood - ryan@distrust.co, https://ryansquared.pub
    • Shane Engelman - shane@distrust.co
  • Independent
    • Christian Reitter - https://inhq.net
    • Daniel Grove - danny@dannygrove.com
    • Dustin Johnson - milksad@di0.io
    • Heiko Schaefer - heiko@schaefer.name
    • James Callahan - james@wavesquid.com
    • Jochen Hoenicke - https://jhoenicke.de
    • John Naulty - jnaulty@dendritictech.com
    • Matthew Brooks - *@logicwax.com
• Special Thanks
  • Jack Kearney - Turnkey
  • Several trusted advisors that wish to remain uncredited. You know who you are.

Relevant Design Patterns

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)