The Disappearance of $900,000 Draws Focus to Vintage Bitcoin Project Libbitcoin

In⁤ 2011, just two years after Bitcoin’s launch, ⁣Anglo-Iranian anarchist developer Amir Taakia and a group of open⁢ source‌ programmers created an alternative ⁢to Bitcoin Core -‍ the original and still most popular way to connect to it⁢ the ‍bitcoin ‍network.

This alternative software, branded Libbitcoin, has now evolved into a comprehensive suite of ⁤tools – a library – for essential functions such as ‍communicating with the Bitcoin ⁤blockchain and generating cryptographic⁣ keys.

It was even mentioned ⁣in⁤ the popular and arguably ‍canonical book Mastering Bitcoin by Bitcoin educator Andreas Antonopoulos.

This‍ is how the latest saga unfolded, according‍ to a report on milksad.info, which details the findings of Distrust, the security company that discovered the vulnerability in July, aided by a group​ of independent⁤ contributors.

Sometime in ‍May, hackers began stealthily stealing funds from unsuspecting users after discovering an obscure vulnerability in a series of wallets generated by the Libbitcoin explorer called BX.

The vulnerability was named “Milk Sad” because‍ “Milk” and “sad” were ‌the first two ‍words in a wallet recovery seed phrase generated by the⁢ vulnerability, ⁤the report states.

The most significant ‌theft — 29.65 bitcoin (BTC), ⁣worth about $870,000 at current rates — took place on July 12. According⁣ to Distrust, ​a total of at least⁣ $900,000 was stolen across multiple blockchains, including from ‌some of the approximately 2,600 bitcoin wallets affected by the vulnerability.

Hardware wallets like Trezor and Ledger appear to be unharmed, but there are⁤ still ⁢a number of ⁤wallets that‌ are at​ risk and the full extent ⁣of the stolen ⁤funds “is yet to be determined,”​ according to a tweet from Anton from August 8 Livaja, a member of​ the Distrust⁢ team.

BX ‌comes with a text command called “bx seed” that uses the clock on ‍a developer’s computer to create a seed phrase to create a wallet.

Crypto software provides random combinations of 12⁢ to ‍24 words or seed phrases for users who wish to “recover” or regain access to their ‌wallets‌ in the event of accidental⁣ loss.

However, when‍ using BX, it turns out that the resulting phrase is not ​sufficiently random. According to the⁣ report, “a decent gaming PC can do a brute-force search” or guess all possible word combinations for a user’s seed phrase “in less than a day.”

“Think of it like securing your online bank account with a password manager that generates a long, random password,” the report reads. “But often⁢ the same passwords are ‍created for ‍each user. Malicious⁣ people found out and pulled funds from every account they ​could find.”

Milk Sad is not limited to Bitcoin. Ethereum, Zcash, Solana and even Dogecoin are among the eight blockchains affected. ⁤Similar ⁤but not identical vulnerabilities have been discovered in Cake Wallet and Trust Wallet, both multi-chain wallet apps.

Typically, seed phrases are created⁣ using a generator capable of generating a set or “key space” containing a dizzying ⁢number of unique word combinations represented by the exponent of a binary digit or “bit” – im Essentially ⁣the number two raised to the power of 128, 192,‌ or 256.

BX has a paltry 32-bit key space ‍that can‍ only yield about 4.3 ‌billion unique‌ word combinations. “That’s not as many combinations as it sounds,” the report said.

Eric Voskuil, the main developer of BX, admitted⁣ that the seed⁢ generator was indeed insecure, but insisted that there was no bug in ‌the software and argued that the BX ⁢seed text command​ had⁤ been abused. He tweeted ‍a screenshot of the ‌application’s GitHub documentation warning developers about the vulnerability.

“This is⁢ not a⁤ bug‍ in BX or Libbitcoin,” Voskuil tweeted. “It’s reckless purse‌ development.”

Several ⁤cryptographers in the bitcoin community disagreed.

“The case is crystal clear,” tweeted Tim Ruffing, cryptographer at ⁢bitcoin infrastructure ⁢company Blockstream. “It’s your bug, period.”