Does Electrum use Libbitcoin ? | Bitcointalksearch.org

Youghoor

sr. member

Activity: 1036

Merit: 275

Quote from: adaseb on August 10, 2023, 03:26:48 PM

Hearing that there is some exploit with any software wallets which use Libbitcoin Explorer 3.x

However they are not stating which wallets are affected. Only that so far $900,000 was stolen due to some poor random number generator when generating seeds.

How do we find out if Electrum uses this dependency?

The Libbitcoin library is not a dependency of Electrum. Even though Electrum and Libbitcoin both deal with Bitcoin and cryptocurrencies, they are independent endeavors with various goals. Electrum's main functionality is neither directly included into or dependent upon Libbitcoin as it has its own codebase.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: pooya87 on August 20, 2023, 04:35:02 AM

From all of the projects and services I mentioned in my previous post, I think the most popular brand is Edge Wallet. At least it's something I have heard of compared to many of the other names. But it's not known if the new and rebranded Edge wallet still uses/used Libbitcoin libraries in its more current releases. It's a multi-coin wallet with exchange, staking, and buy/sell options, making it most probably closed-source to check anything.

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: Pmalek on August 19, 2023, 12:51:33 PM

OpenBazaar is a decentralized crypto marketplace. Its website says a new version is coming soon.

The activity on this whole project looks very disappointing so I don't think they'll even notice if there is a problem specially since nobody reported anything on their repository. Although skimming through the code quickly I believe they only used libbitcoin for communication as server/client thing not for key generation.

https://github.com/OpenBazaar

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: adaseb on August 11, 2023, 12:39:10 AM

I didn’t think electrum was affected since there were no threads here. However all the articles didn’t state which wallets were used by the dependency.

Some hints about wallets and partners are available on Libbitcoin's website. If you scroll down towards the bottom, you'll come across the "Projects using Libbitcoin" section. The website mentions several names there, although, there are surely more.

The first one, Chip-Chap used to be a Spanish crypto to fiat exchange. I said used to because the website isn't working now.
DarkWallet was a browser extension intended to become a privacy-focused wallet. It's been abandoned, though, and is no longer maintained.
Airbitz is now Edge Wallet. A multi-coin mobile wallet.
I am not sure about Joystream. Seems it was a video platform and a DAO.
Darkleaks was a black market where you could anonymously sell leaked and stolen data. It's dead now.
OpenBazaar is a decentralized crypto marketplace. Its website says a new version is coming soon.
CanCoin is an altcoin that seems abandoned. I am guessing they tried to build some kind of community of users, buyers, and sellers. If we only had a currency we could use for that kind of thing.
Lastly, slur.io seems to have been a site to sell and obtain user data according to search engine results.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Libbitcoin is a C++ project.

Electrum only uses Python dependencies, or C++ dependencies that are compiled into "wheels" (binary format) first, like libsecp256k1, which libbitcoin does not have on PyPI.

Bitcoin_Arena

copper member

Activity: 2016

Merit: 1783

฿itcoin for all, All for ฿itcoin.

Someone raised a similar issue on GitHub

Quote from: https://github.com/spesmilo/electrum/issues/8570#issue-1842671994

Hey,
is it a chance that Electrum is vulnerable because of the CVE-2023-39910?

See also: milksad.info

Regards
Michał

This was the response from one of the Devs

Quote from: https://github.com/spesmilo/electrum/issues/8570#issuecomment-1671192869

Hi. Nice write-up.

Electrum uses the secrets module from the python standard library as source of entropy. Before that, os.urandom was used directly. Both are considered cryptographically secure.

The interesting code starts here:
electrum/electrum/mnemonic.py

Line 200 in bf86cd6

Code:

def make_seed(self, *, seed_type=None, num_bits=None) -> str:

So, no, this issue should not affect Electrum.

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: pooya87 on August 12, 2023, 06:10:30 AM

That would be one reason but in my opinion the main reason should always be that any general purpose implementation of ECC runs the risk of having "weird" behavior which is not necessarily bug or weakness, just a weird behavior that is not suitable for a consensus critical protocol such as bitcoin that needs to be strict.
The best example of "weird" behavior is OpenSSL that used to be used by bitcoin core. One issue was its value parsing rules in places such as signatures (DER), etc. That doesn't cause any issues when the library used for something like parsing a website certificate in your browser, but that can be the source of a lot of issues in something like Bitcoin.

BTW Electrum used to use pure python implementation of ECC called python-ecdsa before they migrated to libsecp256k1.

That's also true. Electrum used to use python-ecdsa with some monkey patching done to it while they were using it. It was slower though, as compared to libsecp256k1 library, that, Qt and cryptography are not pure python. The migration was done to enforce and improve performance; it used to be optional before the introduction of lightning which necessitated the speedup.

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: ranochigo on August 11, 2023, 01:04:29 AM

There is a pure python secp256k1 library out there but I guess there are reasons for not adopting those but using more mainstream ones instead. ** Possibility due to adoption and how thoroughly tested those are.

That would be one reason but in my opinion the main reason should always be that any general purpose implementation of ECC runs the risk of having "weird" behavior which is not necessarily bug or weakness, just a weird behavior that is not suitable for a consensus critical protocol such as bitcoin that needs to be strict.
The best example of "weird" behavior is OpenSSL that used to be used by bitcoin core. One issue was its value parsing rules in places such as signatures (DER), etc. That doesn't cause any issues when the library used for something like parsing a website certificate in your browser, but that can be the source of a lot of issues in something like Bitcoin.

BTW Electrum used to use pure python implementation of ECC called python-ecdsa before they migrated to libsecp256k1.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: Yamane_Keto on August 12, 2023, 02:28:42 AM

Although I think that using Electrum is safe for those who want to HODLing Bitcoin and do not have technical experience, but making sure that your private key was randomly generated or at least knowing how we can generate a random private key (128-bit entropy + checksum) is required and learning it is not difficult .

To hold, it would be safer on a cold wallet. If you want to use Electrum as a cold storage on an airgapped device, you will need to read about it and that means you are having the technical knowledge gradually. All that is required is if you are interested to make your wallet more secure.

I can only recommend (online) Electrum wallet for low amount of coins which you are spending.

Yamane_Keto

sr. member

Activity: 406

Merit: 443

Quote from: Faisal2202 on August 11, 2023, 02:24:01 PM

if something would be wrong or it will be made by using those generators then we definitely get to hear some alert or news about it as it is open source and many developers are doing favors for checking the Electrum for exploits.

I am relieved now after reading many replied here.

Although I think that using Electrum is safe for those who want to HODLing Bitcoin and do not have technical experience, but making sure that your private key was randomly generated or at least knowing how we can generate a random private key (128-bit entropy + checksum) is required and learning it is not difficult .

This thread will teach you the basics https://bitcointalksearch.org/topic/--5316005 and with a little research you can generate a private key that is guaranteed to be random and *impossible* to Brute-force it (not recommended for beginners or if you don't really know what you're doing)

Faisal2202

sr. member

Activity: 1064

Merit: 437

#SWGT CERTIK Audited

Thanks for asking this question i actually read this thread yesterday --> https://bitcointalksearch.org/topic/m.62671275 and started to wonder why we should scare of care for this because I am not a developer or any technical person who might have used this BX seed generator to generate one but I also thought what if the wallet I am using might be using BX like electrum. Then I thought Electrum is open source so if something would be wrong or it will be made by using those generators then we definitely get to hear some alert or news about it as it is open source and many developers are doing favors for checking the Electrum for exploits.

I am relieved now after reading many replied here.

Yamane_Keto

sr. member

Activity: 406

Merit: 443

No, and the number of open source wallets affected by Libbitcoin is small, at some point EdgeApp was using that library.

Quote from: logfiles on August 10, 2023, 06:23:58 PM

The most cited affected wallet was trust wallet.

Remember when there was an issue with trust wallet, and they even had to make a quick update?

Did you mean Trust Wallet Browser Extension issue? If so, I don't think the reason is Libbitcoin, and that problem was only related to the addresses generated by the Browser Extension not trust wallet app.

https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786

I know that the current code is closed source, but the open source wallet-core does not indicate that they used Libbitcoin, but we cannot say that your money is safe because the browser extension vulnerability that was discovered was due to a bug bounty and therefore there may be a lot of these bugs, which is reason enough To stop using Trust Wallet.

https://github.com/trustwallet/wallet-core

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: pooya87 on August 11, 2023, 12:57:36 AM

Electrum doesn't use this particular library (libbitcoin) but being written in Python doesn't mean it doesn't need or use dependencies written in other languages like C++. In fact one of the dependencies Electrum has is libsec256k1 which is written in C.

That's correct. It is installed when building Electrum and I forgot that it is required as part of the list of non-pip dependencies.

Regardless, Electrum still doesn't contain as many non-python dependencies as most wallets. Most of the wallets uses libsecp256k1, and seems to follow what Bitcoin Core does as well.

There is a pure python secp256k1 library out there but I guess there are reasons for not adopting those but using more mainstream ones instead. ** Possibility due to adoption and how thoroughly tested those are.

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: ranochigo on August 10, 2023, 10:25:01 PM

Electrum is written in Python and does not use any C++ dependencies. There is no reason for Electrum to use a third-party C++ module

Electrum doesn't use this particular library (libbitcoin) but being written in Python doesn't mean it doesn't need or use dependencies written in other languages like C++. In fact one of the dependencies Electrum has is libsec256k1 which is written in C. Some of its other dependencies (specially involving hardware wallets) utilize C++ libraries.

adaseb

legendary

Activity: 3738

Merit: 1708

Thank you all for replying. I didn’t think electrum was affected since there were no threads here. However all the articles didn’t state which wallets were used by the dependency.

So thank you all for clarifying and putting my mind on ease.

ranochigo

legendary

Activity: 2954

Merit: 4158

Electrum is written in Python and does not use any C++ dependencies. There is no reason for Electrum to use a third-party C++ module and besides, their seed generation is vastly different from how libbitcoin generates theirs.

Electrum uses os.urandom which is a CSPRNG. It does not suffer from this vulnerability.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: logfiles on August 10, 2023, 06:23:58 PM

The most cited affected wallet was trust wallet.

All close source wallet should be an example because we do not know how they generate their seed phrase.

Quote from: logfiles on August 10, 2023, 06:23:58 PM

Remember when there was an issue with trust wallet, and they even had to make a quick update?

Atomic wallet may be the good example to use, but other close source wallets included. But Trustwallet would have not gone for only update, it would have advised people not to generate seed phrase from the old version and not to use the seed phrase generated on the old version anymore.

logfiles

copper member

Activity: 1960

Merit: 1638

Top Crypto Casino

Quote from: adaseb on August 10, 2023, 03:26:48 PM

Hearing that there is some exploit with any software wallets which use Libbitcoin Explorer 3.x

However, they are not stating which wallets are affected. Only that so far $900,000 was stolen due to some poor random number generator when generating seeds.

The most cited affected wallet was trust wallet.

Remember when there was an issue with trust wallet, and they even had to make a quick update?

Quote from: adaseb on August 10, 2023, 03:26:48 PM

How do we find out if Electrum uses this dependency?

I believe electrum is safe, Since everything is open source unlike wallets like trust wallet, someone would have already pointed it out by now.

https://milksad.info/disclosure.html#searching-for-wallets---implementation

Edit:

Refer to this topic: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure!

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Electrum is another wallet entirely and Libbitcoin Explorer has nothing to do with Electrum as Electrum is an open source wallet and known to have a secure way of generating seed phrase.

Electrum wallet is not like Libbitcoin explorer (bx) that generates seed phrase with 32 bits of entropy which is not secure. Electrum wallet uses 132 bits of entropy which is secure enough.

Electrum Seed Version System

adaseb

legendary

Activity: 3738

Merit: 1708

Hearing that there is some exploit with any software wallets which use Libbitcoin Explorer 3.x

However they are not stating which wallets are affected. Only that so far $900,000 was stolen due to some poor random number generator when generating seeds.

How do we find out if Electrum uses this dependency?

Topic: Does Electrum use Libbitcoin ? (Read 246 times)