Recent findings have revealed a significant vulnerability in the widely recognized Libbitcoin Explorer (bx) cryptocurrency wallet tool.
If you have ever generated a wallet through this software or followed guidance from the book “Mastering Bitcoin,” your digital assets might be in danger—or even worse—already stolen.
Catastrophic Crypto Wallet Vulnerability
This vulnerability, designated CVE-2023-39910, unveils a catastrophic weakness in the bx seed subcommand responsible for new crypto wallet private key entropy generation. Shockingly, it was discovered that Libbitcoin Explorer 3.x versions employ the Mersenne Twister pseudorandom number generator (PRNG), which is initialized with 32 bits of system time.
So, instead of creating a unique and secure password for every user, the software was occasionally generating the same password. Malevolent actors have identified this weakness and have begun draining funds from unsuspecting users’ wallets.
To read more on crypto wallet security features, check our guide on multisig wallets: What Are Multisig Wallets and How Do They Work?
It’s worth highlighting that the vulnerability’s dangerousness lies in the poor generation of cryptographic numbers. Typically, a secure cryptographic system requires large, unpredictable numbers. With a frail random number generator, the encryption becomes practically useless.
So, instead of having wallet security at robust levels like 128-bit, 192-bit, or 256-bit, it plunges to a meager 32-bit.
Although 4,294,967,296 (2^32) unique combinations might sound huge, it’s not much work for modern computers to break. With the current advancements in computing, a standard gaming PC can search these combinations in less than 24 hours.
Though there are multiple variations to test, it’s still a staggeringly short time frame. This is especially true when an attacker can subsequently gain full control of one’s funds, inspect previous wallet transactions, and even sign messages.
Protect Yourself
This fault brings forth a chilling reality. No matter how safely you store your wallet credentials—be it digitally or even as a paper wallet in a physical bank vault—your assets are susceptible to theft. Records show that these malicious attacks peaked around July 12, 2023. Other signs indicate that initial exploitations began earlier in May 2023.
Renowned figures in the crypto community have voiced concerns. Binance CEO Changpeng Zhao stated,
“Self custody wallets are not without risks. I am supportive of self custody, IF you know what you are doing. Stay #SAFU!”
Further emphasizing the crux of the vulnerability, he mentioned,
“This vulnerability is due to the random number generator using a 32 bit seed, which is not sufficiently random against modern cracking such as GPUs. Trustwallet and Binance wallets do not use this for seed phrase generation.”
The Libbitcoin Explorer debacle is a stern reminder that while this new era of finance and asset custody offers many new opportunities, it also poses immense risks. It’s important for anyone using crypto to ensure the use of trusted tools and stay updated about potential vulnerabilities.
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.
This article was initially compiled by an advanced AI, engineered to extract, analyze, and organize information from a broad array of sources. It operates devoid of personal beliefs, emotions, or biases, providing data-centric content. To ensure its relevance, accuracy, and adherence to BeInCrypto’s editorial standards, a human editor meticulously reviewed, edited, and approved the article for publication.
