Author

Topic: [WARNING] Wallets created with Libbitcoin Explorer (bx) are insecure! (Read 810 times)

staff
Activity: 4284
Merit: 8808
For most PRNGs it is not too hard to determine the seed just from seeing the output and often the seed is big enough to avoid finding it by guessing.  For a CSPRNG you cannot find the seed from the output (because the derivation function is cryptographic) or by guessing (because the state space is too big).  This makes all the difference in the world.

Also, aren't there Hardware-RNGs
There are but they're kinda dangerous.  The issue is that it's often easy for a hardware RNG to fail in a way that makes it still look random but in reality it is somewhat predictable to an attacker.  The best way to use one is to take a lot of output from one, feed it to an expensive cryptographic hash, and use the output as a seed to a CSPRNG.  if its done this way then the result will be secure so long as there was enough randomness anywhere in the data to get the CSPRNG securely seeded.

If you want to be paranoid, after starting up that CSPRNG, get randomness by xoring the CSPRNG and the hardware RNG.  So then the result is secure if either the initial seeding and CSPRNG is good enough or the hardware stream is good enough.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
My understanding is indeed that MT is a not CSPRNG, as it will always deterministically produce fixed numbers, but that with enough bits in the seed it is practically impossible to detect the pattern. The problem with Libbit pin is exactely the low entropy in the seed.

Not an expert in this field but from what I have read about PRNGs is that they are some sort of state machine which is seeded by some initial value, usually called a seed value. This seed value determines all future pseudo-random values that the PRNG generates based on some suitable algorithm. Same seed for the PRNG generates the same future pseudo-random number series. Therefore it is crucial to input good entropy as seed to a PRNG. Here Libbitcoin failed completely with known results.

The algorithm which generates the pseudo-random values of a PRNG should ideally have a very large periodicity and numbers generated should be evenly distributed without a bias. There has been a lot of research in this area for apparent reasons and this also determines the "quality" of a PRNG.

TL;DR Every PRNG is to my knowledge deterministic. If you know or can predict or guess the seed, you know all future pseudo-random numbers a PRNG will output. I believe this also applies to CSPRNG, but I would've to dig deeper what distinguishes a CSPRNG from a PRNG.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Nah, Intel has been screwing up for decades.
I know, and they are doing it on purpose (probably)  Tongue

Never attribute something to malfeasance when it can be attributed to incompetence.
I don't think they are leaving holes in because they want to, a lot of security people even agree with me on that.

They are trying to put so much in so quickly, there is exactly 0 possibility to do all the QC needed.

One engineer lecturer said it the best. Between final tape out and production to do a full attack vector scan on something as complex as a modern processor is probably going to take 18 months. Meanwhile your competition did not bother doing that and are now 1 1/2 to 2 generations ahead of you.

Which brings us back to this. People are lazy and want it yesterday and make it quick and simple and make sure everything is perfect.
Should this code have been used. No. Should people have looked deeper. Yes. Did anyone? Well, we know the answer to that.

The more things change, the more they stay the same.

Something I have posted a few times over the years about bad chip design from decades and decades ago:

Quote
The Amstrad Plus ASIC improved a lot of the old CPC's capability. Yet this was a bit flawed.

    Despite removing some tasks from the CPU (Z80), ASIC registers are mapped onto memory from #4000 to #7FFF range prior to other type of memory (RAM or ROM).That means this memory range is not accessible when ASIC registers are paged.

    PPI emulation is not correct as the original 8255 does not need validation.On ASIC emulation , this validation is needed so some programs written for "old CPCs" will not be able to get keyboard state.

    Z80 IM2 mode is bugged.In this mode , the Z80 I register gives the high word for vector table.ASIC gives the low word from IVR and the devices that generate interrupt (raster and DMAs channels).ASIC generates sometimes a bad values and the raster interrupt routine is called instead of DMA0 routine.The reasons of this bug are not known.

    There is a conflict between programmable interrupts and some CRTC settings (line screen split).That will cause the RAM refresh to stop and the memory content will be quickly corrupted causing machine crash.

    Reducing Horizontal BLanking could cause another internal conflict when using DMA lists.In the worst case , this conflict can cause irreversible damage to the ASIC.
 

The last one takes the cake, you can make a programming mistake and damage your chip. Say what? Not overclocking, not over powering, just try to do a blank with using DMA and oops *poof*. Yet, that made it out the door.

-Dave
legendary
Activity: 2212
Merit: 7064
Looks like it only affects intel core 6th to 11th gen, so at least my Sandy Bridge server is not affected Smiley
Don't worry, Sandy Bridge has it's own bugs and flaws, and if you apply all fixes they slow down processor speed a lot  Cheesy

A true RNG uses numbers that are created from noise entropy like from your mouse, keyboard, disk.
Sorry but you are wrong about this.
Do better research what TRUE RNG is and how it can be generated, I won't go offtopic with that anymore.

There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
True randomness for a computer is extremely difficult and a really vague concept.
It's not that vague or hard at all... just roll casino dices enough time and you have it, and something similar can be done with hardware devices.
If something can easily be repeated and reproduced than it's not really random.

Nah, Intel has been screwing up for decades.
I know, and they are doing it on purpose (probably)  Tongue

legendary
Activity: 2114
Merit: 1403
Disobey.
There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
That might create an unhelpful equivalence.

There are CSPRNG  -- cryptographically secure pseudorandom number generators.  Once you feed in enough (say 256 bits) of genuine randomness they run deterministically and spout out as much random numbers as you want, which are generally just as good as new random values-- arguably better in that you're not exposed to a hardware trng flaking out or being slow.  Their main downside is that their state is a secret you have to protect.

Then there are non-CS PRNGs, like mersenne twister.   The output from those shouldn't be used for security relevant purposes because attackers can predict them from seeing some earlier output (or sometimes without seeing any output at all, for really bad ones).
[...]
Reminds me, wasn't there someone that stole a few thousand BTC a litttle less than a decade ago from Primedice that way? Fuzzy memory, but I thought they read-out the current output of "random" numbers and with this information were able to determine the seed that was used to generate these numbers. With the seed they could then predict the upcoming outputs from the RNG.

Also, aren't there Hardware-RNGs - Pokerstars for example claims/claimed to have one in use to "shuffle" their virtual cards. I think it uses radioactive decay to create this kind of true randomness.

Edit, did a little research, seems they use a LASER beam - my guess is it's actually a quantum effect, nothing to do with radioactive decay. (?)
Not too much real info here, but still entertaining: https://www.youtube.com/watch?v=-DkHzOUzDjc
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
...Call me conspiracy realists, but I think this flaws were intentionally there from start and they are coming from inside Intel, but AMD is probably doing something similar...

Nah, Intel has been screwing up for decades. https://en.wikipedia.org/wiki/Pentium_FDIV_bug
Different world back then, but still the same problems. Big glaring issues with people trying to figure out how it made it past testing.


CoinDesk also takes up the topic again in an article: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin

Quote
Information security firm Distrust says a total of at least $900,000 was stolen across multiple blockchains.

...

Milk Sad is not restricted to Bitcoin. Ethereum, Zcash, Solana and even Dogecoin are among the list of eight blockchains affected.

Similar but not identical vulnerabilities have been detected in Cake Wallet and Trust Wallet, both multi-chain wallet apps.

Typically, seed phrases are created using a generator capable of producing a set or “key space” with a dizzying number of unique word combinations represented by the exponent of a binary digit or “bit” – essentially, the number two raised to the power of 128, 192 or 256.

...

Source: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin

According to the security firm Distrust, at least ~$900k was stolen on multiple chains.

Similar problems were also found with the two well-known multi-coin wallets Cake Wallet and Binance's Trust Wallet. Especially Trust Wallet in particular is likely to be used by many forum members due to its aggressive marketing by Binance. Another reason to withdraw your coins from any Binance product.

I do (did) have funds in cake. Finally moved them out last night. It was a non trivial amount but not enough to loose sleep over if they vanished.
But I do know several other people using it and they had no issues either. Wonder how vulnerable it really was.

I only had 2 alts in there and only only because it was the easiest one to deal with when someone wanted to pay me with an alt and it was the 1st one that looked decent. And then when someone else wanted to pay with an alt it wound up in there too.

Makes you wonder if cake is legit vulnerable how many people have some funds sitting in it for years like I did, and were planning to move them out soon. And just never did.

-Dave
staff
Activity: 4284
Merit: 8808
Thanks for clarifying. My understanding is indeed that MT is a not CSPRNG, as it will always deterministically produce fixed numbers, but that with enough bits in the seed it is practically impossible to detect the pattern. The problem with Libbit pin is exactely the low entropy in the seed.
you can recover the MT state from the output even if the seed is big and random.  But it takes a lot of output and bx seed only outputs a single thing then quits.

So MT with secure seeding would probably be okay in bx seed (though fishy smelling), but wouldn't be okay in some other contexts.

Personally I'd never use MT for anything these days. There are alternatives that are much faster and have better properties, even where security isn't an issue.  It's a buzzword PRNG because it came into existence a time when people were using a lot of stuff that sucked a lot worse (and maybe because it has a cool name).
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
That might create an unhelpful equivalence.


Thanks for clarifying. My understanding is indeed that MT is a not CSPRNG, as it will always deterministically produce fixed numbers, but that with enough bits in the seed it is practically impossible to detect the pattern. The problem with Libbit pin is exactely the low entropy in the seed.
staff
Activity: 4284
Merit: 8808
There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
That might create an unhelpful equivalence.

There are CSPRNG  -- cryptographically secure pseudorandom number generators.  Once you feed in enough (say 256 bits) of genuine randomness they run deterministically and spout out as much random numbers as you want, which are generally just as good as new random values-- arguably better in that you're not exposed to a hardware trng flaking out or being slow.  Their main downside is that their state is a secret you have to protect.

Then there are non-CS PRNGs, like mersenne twister.   The output from those shouldn't be used for security relevant purposes because attackers can predict them from seeing some earlier output (or sometimes without seeing any output at all, for really bad ones).

Since bx seed just outputs a random value and quits the fact that it used MT itself wasn't really a problem, if it were seeded with enough cryptographically strong randomness the MT wouldn't have caused a practical harm in the context of bx seed.  It's the use of a 32-bits of seeding and that it came from the time rather than a source which had any chance of being secure.

Quote
True randomness for a computer is extremely difficult and a really vague concept.
Not really on modern computers-- they're equipped with a hardware TRNG.  And even without them computers with a user sitting at them have pretty good sources of timing randomness-- from keypress timings and mouse movements which the operating system records--  older hardware with no TRNG and computers with no local user are a more difficult matter.
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
Downfall Attacks is affecting billions of modern processors and cloud computers, and this is even more dangerous:
https://downfall.page/

Looks like it only affects intel core 6th to 11th gen, so at least my Sandy Bridge server is not affected Smiley

So you're basically saying that a weak random number generator such as Mersenne Twister was used for generating seed phrase entropy in Cake Wallet and Trust wallet? (!)
I don't think this is a true random generator, but I could be wrong.
This is much bigger topic and there is a big difference between pseudo-random and random number generation.

A true RNG uses numbers that are created from noise entropy like from your mouse, keyboard, disk. The kernel collects the inputs and turns them into bits of entropy, which can then be read out by a true RNG function call. But if your algorithm is just generating numbers from a seed and state machine which is updated by previous numbers, then that is not secure at all.

There is nothing random in Marsenne Twister. If you feed it the same seed, you will always get the same output.
True randomness for a computer is extremely difficult and a really vague concept.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Downfall Attacks is affecting billions of modern processors and cloud computers, and this is even more dangerous:
https://downfall.page/

Looks like it only affects intel core 6th to 11th gen, so at least my Sandy Bridge server is not affected Smiley

So you're basically saying that a weak random number generator such as Mersenne Twister was used for generating seed phrase entropy in Cake Wallet and Trust wallet? (!)
I don't think this is a true random generator, but I could be wrong.
This is much bigger topic and there is a big difference between pseudo-random and random number generation.

A true RNG uses numbers that are created from noise entropy like from your mouse, keyboard, disk. The kernel collects the inputs and turns them into bits of entropy, which can then be read out by a true RNG function call. But if your algorithm is just generating numbers from a seed and state machine which is updated by previous numbers, then that is not secure at all.
staff
Activity: 4284
Merit: 8808
I am wondering, what is an insecure key, what does it look like, and were these compromised keys easier than our 1000 bitcoin puzzle keys?  They had to know something, was there any hint in the code itself telling you what to look for?
It's really obvious in the code to anyone who reads it:

https://github.com/libbitcoin/libbitcoin-system/pull/559/commits/6d5a06e283d81260165e0eab95175069bf03b408#diff-e212c578b1951f97c871396a74c4224de9182ed922c8a95db56f995951743d17R42


        return static_cast(now.time_since_epoch().count());
        ...
        // Seed with high resolution clock.
        twister.reset(new std::mt19937(get_clock_seed()));


It says directly that it's seeded with 32 bits of a high resolution clock.

Quote
In general I consider deterministic wallets/ seeds a vulnerability, gmaxwell was the first dev coming up with this idea right? It's only good and safe if you know what you are doing.
Your comment conflates two concepts:

A deterministic wallet is one that can be backed up. Without determinism your backup is invalid as soon as you send funds or generate a new address, and that is obviously pretty unsafe and impractical.  A wallet using determinism works the same as one that doesn't except backups actually work.  It's possible to footgun yourself due to backups working, but I think backups not working is a much bigger footgun as it is highly surprising.  And one should be careful to not emphasize protection against theft over protection against loss:  at the end of the day if your coins are gone they're gone and it doesn't matter if they were stolen or if you just lost them another way.  Prior to determinism wallets would contain a small buffer of pre-generated keys, which didn't make backups actually safe but made their failure modes rather weird and inexplicable.

Users handling "seeds" (or private keying material) directly, as they're forced to if they use bx explorer, is obviously dangerous even for experts (as *every* user of bx seed must have been to some extent), and that isn't anything I proposed and I've also generally cautioned against. (In fact, BIP-39 has a warning against its use written by me on its comments page, in fact.).  Sometimes the two concepts get treated as one because if every key is randomly generated then manually handling the individual keys would be very clunky and inconvenient, so any kind of user handled seed scheme will in practice also be a deterministic wallet scheme both because of that practicality and because every wallet today is (because backups exploding is not desirable!).

While I worked on Bitcoin Core it didn't implement any user handled "seed" functionality because of how error prone it is.  (Though arguably if it did some of the people who used bx seed would have been saved: had bitcoin core had this functionality it would have been reviewed and implemented correctly...)

In this case BX's only function for generating keying material was insecure, this meant any keys generated using it (be they bare private keys or BIP39 seeds) were insecure -- so I don't think you can say that determinism OR 'seeds' were particularly relevant to the risk here.

copper member
Activity: 1330
Merit: 899
🖤😏
I am wondering, what is an insecure key, what does it look like, and were these compromised keys easier than our 1000 bitcoin puzzle keys?  They had to know something, was there any hint in the code itself telling you what to look for?

I wouldn't trust any wallet, open source/ closed source, reviewed by all the experts or not, you just need to flip a coin to be safe.  In general I consider deterministic wallets/ seeds a vulnerability, gmaxwell was the first dev coming up with this idea right? It's only good and safe if you know what you are doing.   Bitcoin is only good to keep if you know what you are doing, that's the reason why masses don't rush into it, because it takes time and effort to learn how to do things.
staff
Activity: 4284
Merit: 8808
I saw this news few days ago, and it's not only the problem with Libbitcoin Explorer but with all devices with Intel processors.
You're confusing issues.

Libbitcoin explorer was only using 32-bit timestamps to generate keys via its 'bx seed' command.

The downfall thing is an issue on some processors where if you run malicious code on a processor it can steal parts of memory from other processes.  As you note, it's a concern for shared systems like cloud deployments.  But cloud deployments have MANY serious problems and downfall is only the latest in a long series of similar issues.   Certainly a concern but far far far less of a risk than just using 32-bits to generate keys.
legendary
Activity: 2212
Merit: 7064
I saw this news few days ago, and it's not only the problem with Libbitcoin Explorer but with all devices with Intel processors.
Everyone who is using computers and laptops with Intel processor should consider their devices as not secure anymore, and I wouldn't use them as my main cold storage.
Call me conspiracy realists, but I think this flaws were intentionally there from start and they are coming from inside Intel, but AMD is probably doing something similar.

Downfall Attacks is affecting billions of modern processors and cloud computers, and this is even more dangerous:
https://downfall.page/

Anyone keeping sensitive information in cloud at this point is playing russian roulette right now.  Roll Eyes

So you're basically saying that a weak random number generator such as Mersenne Twister was used for generating seed phrase entropy in Cake Wallet and Trust wallet? (!)
I don't think this is a true random generator, but I could be wrong.
This is much bigger topic and there is a big difference between pseudo-random and random number generation.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Similar problems were also found with the two well-known multi-coin wallets Cake Wallet and Binance's Trust Wallet. Especially Trust Wallet in particular is likely to be used by many forum members due to its aggressive marketing by Binance. Another reason to withdraw your coins from any Binance product.

So you're basically saying that a weak random number generator such as Mersenne Twister was used for generating seed phrase entropy in Cake Wallet and Trust wallet? (!)

These projects are totally screwed. How can you use such a basic pseudorandom number generator for generating something that will store people's life savings?
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
According to the security firm Distrust, at least ~$900k was stolen on multiple chains.

Until it reaches at least $1 million, it won't appear in the mainstream media, and maybe not even then, considering that such things have become quite common in the world of cryptocurrencies. All this that is happening is just proof that no matter how safe something seems, we should always question whether there is a loophole in the system that hackers will use sooner or later.

Similar problems were also found with the two well-known multi-coin wallets Cake Wallet and Binance's Trust Wallet. Especially Trust Wallet in particular is likely to be used by many forum members due to its aggressive marketing by Binance. Another reason to withdraw your coins from any Binance product.

I even have some dust in the Trust wallet, although I don't see that this altcoin is currently in danger, and even if it is, I'm somehow too lazy to send it to another wallet. I guess I apply to myself that unwritten rule "invest (or in this case save) only as much as you are ready to lose"
legendary
Activity: 1624
Merit: 4417
CoinDesk also takes up the topic again in an article: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin

Quote
Information security firm Distrust says a total of at least $900,000 was stolen across multiple blockchains.

...

Milk Sad is not restricted to Bitcoin. Ethereum, Zcash, Solana and even Dogecoin are among the list of eight blockchains affected.

Similar but not identical vulnerabilities have been detected in Cake Wallet and Trust Wallet, both multi-chain wallet apps.

Typically, seed phrases are created using a generator capable of producing a set or “key space” with a dizzying number of unique word combinations represented by the exponent of a binary digit or “bit” – essentially, the number two raised to the power of 128, 192 or 256.

...

Source: Disappearance of $900K Puts Focus on Vintage Bitcoin Project Libbitcoin

According to the security firm Distrust, at least ~$900k was stolen on multiple chains.

Similar problems were also found with the two well-known multi-coin wallets Cake Wallet and Binance's Trust Wallet. Especially Trust Wallet in particular is likely to be used by many forum members due to its aggressive marketing by Binance. Another reason to withdraw your coins from any Binance product.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Translation: Libbitcoin was under active development until the first evidence of the exploit being used.

The thesis here is that Eric Voskuil was either involved in the exploit or at least well aware of this since the very first use of it.


Is that a reasonable hypothesis that he has planted this bug years in advance, only to sabotage his work, reputation and legacy for a highly uncertain payoff?).

Maybe the bug itself caused him to rage quit:



As John Wick would say, "Everything has a price."
staff
Activity: 4284
Merit: 8808
Or is this just a tool you use similar to a paper-wallet generator
Yes.

Quote
and cannot be included as part of code for a wallet project?
Cannot is a little strong, but it would be slightly surprising.  OTOH, it would be less surprising than the original error in libbitcoin explorer itself.

I could imagine some web service wallet thing using it on the backend but it would be an odd choice... or managing to copy the vulnerable code into other software though there was nothing subtle about it.
legendary
Activity: 2114
Merit: 1403
Disobey.
I am not familiar with this tool, so maybe ththis is a stupid question: Do we know if the Libbitcoin explorer wallet (seed) generation method was utilized by any mobile or desktop wallets?
Or is this just a tool you use similar to a paper-wallet generator and cannot be included as part of code for a wallet project?
staff
Activity: 4284
Merit: 8808
Any chance that somebody can create a stopgap version of libbitcoin explorer with a secure random number generator, just so that book authors and other website portals have an alternate version of 'bx' to point to instead?
I would be careful about assuming this was the only flaw.

Maybe the bug itself caused him to rage quit:
it's hard to square that with the current position that there isn't even a bug and that it's working as designed.

legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
This is an interesting theory:



The images are the following:

hero member
Activity: 406
Merit: 443
The question is related to the title of this thread: Wallets (seed words) created with libbitcoin (which wallets?)
You will find the list with a wiki link https://en.bitcoin.it/wiki/Libbitcoin

Quote
Projects Using Libbitcoin
Airbitz
Bitprim
Cancoin
Chip-Chap
Darkleaks
Darkwallet
Darkmarket
Mastering_Bitcoin
Metaverse
OpenBazaar
Teechan

Most of these projects are dead or have been renamed, for example Airbitz has been renamed to EdgeApp and you will find Libbitcoin https://github.com/EdgeApp/libbitcoin-client otherwise popular wallets do not use Libbitcoin
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
So, the Milk Sad announcement is nice and all, but which projects have this libbitcoin dependency? Leaving closed wallets aside, shouldn't there be a list of affected programs so that people can take measures? I imagine a security patch and recompile would be needed too.

The question is related to the title of this thread: Wallets (seed words) created with libbitcoin (which wallets?)
hero member
Activity: 406
Merit: 443
Are there any educational articles on the security of wallets/ tools and anything related to private keys on this forum?

For ordinary users, well they don't know how to review the code if the code is available.
You can start with this topic https://bitcointalksearch.org/topic/--5316005 It explains well the concept of the private key and the entropy behind it, there are some videos in YouTube but they go into the details without giving a background.


What crypto wallets use this library?
at some time https://openbazaar.org and Cody Wilson & @genjix DarkWallet (no longer working now) was using it.

I don't know if there is any new wallet uses this library, but I wouldn't be surprised if one of the closed source wallets used it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015.

At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published.

Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know.
So, would it be fair to say that the vulnerability where you could generate a seed using weak and not random enough entropy was there from 2016 at earliest? I am asking because according to the report, the first misuses are believed to have been recorded in May 2023. If it was there for such a long time before someone figured out what they could do with it, it's quite positive that they figured out what was wrong. Additionally, it's share luck that someone didn't understand how to abuse it earlier or they did but no one knew about it.

Certainly! With reservations though, because depending on the operating system, there is a chance that even older versions of bx seed are using unsafe random number generators (this is because previously it was using std::random_device which in turn uses the OS random number generator).

Apparently, nobody figured out that this new code could be exploited until a few months ago.
legendary
Activity: 2730
Merit: 7065
Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015.

At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published.

Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know.
So, would it be fair to say that the vulnerability where you could generate a seed using weak and not random enough entropy was there from 2016 at earliest? I am asking because according to the report, the first misuses are believed to have been recorded in May 2023. If it was there for such a long time before someone figured out what they could do with it, it's quite positive that they figured out what was wrong. Additionally, it's share luck that someone didn't understand how to abuse it earlier or they did but no one knew about it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source
Do we know of any security experts or companies that have reviewed that open-source code and given it thumbs up as being safe with strong-enough entropy generation? It's too bad that Andreas recommended or talked about this Bitcoin library in his Mastering Bitcoin book. I wonder how long it was out there before someone realized how it can be exploited... 

Regarding the second part, the bx seed instructions and appendix in the book was a pull request by a libbitcoin developer in 2015.

At the time, it did not use a pseudorandom generator. But about a year later, they changed it, which unfortunately was soon after the book was published.

Nobody has audited libbitcoin explorer for security weaknesses previously as far as I know.
legendary
Activity: 2730
Merit: 7065
As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source
Do we know of any security experts or companies that have reviewed that open-source code and given it thumbs up as being safe with strong-enough entropy generation? It's too bad that Andreas recommended or talked about this Bitcoin library in his Mastering Bitcoin book. I wonder how long it was out there before someone realized how it can be exploited... 
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I already know libbitcoin has some problem/limitation, but i would never expect it used weak entropy.

EDIT: I give up. The build system used by libbitcoin-explorer is extremely convoluted, requires a C++20 compiler, at least Boost 1.76 (this is later than what Ubuntu 22.04 has), and works via a script "install.sh", instead of normal CMake or Automake, and trying to circumvent all these limitations by using containers has so far lead to all kinds of build configuration errors.

IMO it's good thing you give up early. Based on my short experience, libbitcoin is one of least friendly full node implementation where i also had difficulty to compile[1] and also prone to corruption[2].

[1] https://bitcointalksearch.org/topic/m.56770963
[2] https://bitcointalksearch.org/topic/m.56832879

Regarding your second link: It's been years and still version4 (what master branch points to) is still unfinished and hence non-functional. Obelisk has also been discontinued apparently in order to develop libbitcoin-server, and 80% of the libbitcoin repositories are all broken with the message: "Please use version 3 branch instead". Last commit to most of these repos was on May 9.

So yeah, it seems more and more like vaporware with every passing day. Sad
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
One other thing is educating people to never use closed source tools to generate private keys.
I don't know much about Libbitcoin or under what license the code was released, but I was under the impression that we are talking about a publicly verifiable library of tools for the Bitcoin blockchain. Was the code not publicly available for scrutiny?

The source says the first thefts started occurring in May 2023, but how long was the software available in that form before someone found out how to exploit it?
What crypto wallets use this library?

As we speak, I am looking at the codebase of bx and it has an AGPL v3+ license, so yes it is open-source:

Code:
/**
 * Copyright (c) 2011-2022 libbitcoin developers (see AUTHORS)
 *
 * This file is part of libbitcoin.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see .
 */


EDIT: I give up. The build system used by libbitcoin-explorer is extremely convoluted, requires a C++20 compiler, at least Boost 1.76 (this is later than what Ubuntu 22.04 has), and works via a script "install.sh", instead of normal CMake or Automake, and trying to circumvent all these limitations by using containers has so far lead to all kinds of build configuration errors.

It looks like "bx seed" was really intended to be NOT SECURE AT ALL, so why the hell didn't they make an announcement about that when they made the change?
legendary
Activity: 2730
Merit: 7065
One other thing is educating people to never use closed source tools to generate private keys.
I don't know much about Libbitcoin or under what license the code was released, but I was under the impression that we are talking about a publicly verifiable library of tools for the Bitcoin blockchain. Was the code not publicly available for scrutiny?

The source says the first thefts started occurring in May 2023, but how long was the software available in that form before someone found out how to exploit it?
What crypto wallets use this library?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Any chance that somebody can create a stopgap version of libbitcoin explorer with a secure random number generator, just so that book authors and other website portals have an alternate version of 'bx' to point to instead?

(although if we do go that route I fear the situation will be similar to that of chrome extensions such as The Great Suspender and Tab Auto Refresh who sold out to malicious buyers and now there's 5 clones of them in the Chrome Web Store, each of which may or may not also be malicious.)
copper member
Activity: 1330
Merit: 899
🖤😏
Are there any educational articles on the security of wallets/ tools and anything related to private keys on this forum?

For ordinary users, well they don't know how to review the code if the code is available.

One other thing is educating people to never use closed source tools to generate private keys.

Also, what are the most secure and properly reviewed tools good for cryptography use? They all should be listed and updated somewhere like in a book or a site, wait this bx was in a book which everyone kept using as a reference for newbies. What an irony!
staff
Activity: 4284
Merit: 8808
You should never have used any closed source wallet-- but being open source is not enough.

In this case the rng was replaced with an obviously broken toy and no one noticed because the project has no reviewers.

Some extra relevant links:

https://github.com/libbitcoin/libbitcoin-system/pull/559

The pull request adding the vulnerability, the lack of review or collaboration is worth noticing. The prior code was already dubious in that AFAIK std::random_device library doesn't promise that the randomness is suitable for cryptography. I believe on common systems where this code was run the old code was not likely to be exploitable, but I wouldn't bet my money on it.

https://twitter.com/evoskuil/status/1688657656620167169

Developer commentary on this issue. I can't figure out what "long-documented intended usage" a seed command that mandates 128-bits of output but never has more than 32-bits of entropy would have.

https://archive.is/A7Jn6

The documentation the tweet references. I don't know how the 'Pseudorandom seeding' warning there would be distinguishable from warnings against CSPRNGs in favor of dice rolls or whatever, perhaps this is an example of the harm that chicken-little crying about CSPRNGS causes. Nor can I figure out for whose convenience this function would serve except attackers. In any case, this is the only place I found any kind of warning and the warning postdates the mastering bitcoin usage (as well as the change that made the command unconditionally unsafe).

https://archive.is/HDe8h

Current libbitcoin-explorer instructions telling users to use the seed command to generate private keys.

https://archive.is/fhm5J#selection-12915.2-12915.10

Current libbitcoin-explorer instructions telling users to use the seed command to generate BIP39 seeds (also private keys).

https://archive.is/PWLKJ

Current libbitcoin-explorer documentation on randomness noting that bx seed is the ONLY source of randomness available to users in the package, and that all other commands that need randomness require the user to provide it. It also notes that 'bx seed' will not function if less than 128-bits are requested.

The private key and bip39 seed usage (above) sure appears to be the "intended usage" in their documentation, but the "bx seed" function as currently implemented (since 2016) is unambiguously not fit for those purpose.
hero member
Activity: 406
Merit: 443
This looks very interesting, restricts the entropy from 128/256 bits to 32 bits.

I wouldn't be surprised if this was the reason for hacking some closed source wallets like Atomic Wallet, and I wouldn't be surprised if they were using deterministic random number generators.

I think we have enough reasons to stop using closed source wallets because we don't know exactly what updates they make and whether they check entropy is really random or they rely on outdated libraries for PRNG.
legendary
Activity: 3304
Merit: 8633
Crypto Swap Exchange
Bitcoin wallets created with the so-called Libbitcoin explorer are very insecure due to a cryptographically poorly implemented random number generator and should be cleared as soon as possible. the Libbitcoin explorer, more commonly known by its abbreviation 'bx', is a handy tool for the command line, with all sorts of functions for Bitcoin key and wallet management. among them is the ability to use the 'bx' seed command to create a supposedly secure new wallet with 12 or 24 recovery words.

Libbitcoin explorer is best known for its prominent mention in the technical Bitcoin book 'Mastering Bitcoin' written by author Andreas M. Antonopoulos. an entire article is dedicated to how the tool works and how to use it.

David A. Harding, who is busy writing the revised and third edition of this book, sent the following tweet about it today:

https://twitter.com/hrdng/status/1689022029142560771

under the following link you can find more information about the vulnerability: https://milksad.info/
Jump to:
© 2020, Bitcointalksearch.org