Unveiling Vulnerabilities in Libbitcoin
In a startling revelation, a loss of approximately $900,000 has shed light on the security vulnerabilities of Libbitcoin, a vintage alternative to Bitcoin Core. Developed in 2011 by British-Iranian anarchist developer Amir Taakia and a group of open-source coders, Libbitcoin was initially conceived as an alternative software for connecting to the Bitcoin network. Over time, it has transformed into a comprehensive suite of tools used for crucial functions such as interacting with the Bitcoin blockchain and generating cryptographic keys.
The "Milk Sad" Discovery
Unfortunately, what was once believed to be a secure solution has now been exposed as having weaknesses. Termed "Milk Sad," this issue came to the fore in late July, thanks to the efforts of information security firm Distrust (1). This discovery has cast a shadow of doubt over the safety of utilizing not only Libbitcoin but also other vintage cryptocurrency projects that might harbor similar vulnerabilities.
Unraveling the Exploitation
~$1M is the lower bound. We focused on btc, while the same seed may have been used across multiple chains. The full extent of the impact has yet to be determined.
— Anton Livaja (@antonleviathan) August 9, 2023
The vulnerability was initially exploited by hackers in May, when they uncovered an obscure flaw in wallets generated by the Libbitcoin explorer known as BX. Seizing this opportunity, the attackers began siphoning funds from unsuspecting users, leading to a substantial loss of cryptocurrencies. The name "Milk Sad" derives from the first two words (2) of a wallet-recovery seed phrase that resulted from this vulnerability, giving an insight into the distinct nature of the attack.
Magnitude of the Heist
The most significant theft occurred on July 12, as hackers managed to pilfer 29.65 Bitcoin (BTC), equivalent to around $870,000 in present valuation. The collective impact of the vulnerabilities led to a loss of more than $900,000 across multiple blockchains. This breach affected an estimated 2,600 bitcoin wallets that fell victim to the vulnerabilities present in Libbitcoin's codebase.
Beyond Bitcoin: Ripple Effects
The repercussions of the "Milk Sad" vulnerability were not confined solely to Bitcoin. This vulnerability cascaded across other prominent cryptocurrencies, including Ethereum, Zcash, Solana, and even Dogecoin. Notably, the same type of vulnerabilities was detected in well-known wallet apps such as Cake Wallet (3) and Trust Wallet (4), underscoring the importance of robust security practices across various platforms.
Root Cause: Seed Generation Function
The vulnerability originated from the seed generation function within BX (5), which failed to create sufficiently random seed phrases. This shortcoming facilitated the execution of brute-force attacks by malicious actors, enabling them to guess seed phrases and thereby compromise users' wallets and funds.
Developer Response and Lessons Learned
Eric Voskuil, the lead developer of BX, acknowledged the presence of the vulnerability. However, he contended that the flaw resulted from the misuse of the bx seed text command rather than an inherent issue with the software itself. This incident serves as a stark reminder of the significance of using tools correctly to ensure the highest level of security.
Urgent Need for Vigilance
The loss of approximately $900,000 from Libbitcoin wallets due to the "Milk Sad" vulnerability acts as a clarion call for heightened vigilance in the cryptocurrency realm. As vintage projects like Libbitcoin come under scrutiny, both developers and users must remain ever-watchful to ensure the robustness of their systems against potential vulnerabilities.
