Hackers have reportedly exploited a weakness in popular crypto wallet tool Libbitcoin Explorer that has allowed them to steal funds from multiple blockchains.
According to software security expert Distrust, which led the investigation, the ‘Milk Sad’ issue (so named because those were the first two words in the seed phrase of the broken key generation process), suffers from a “flawed seed subcommand for the generation of new wallet private key entropy.” As a result, it produces insecure output.
“Think of this as securing your online bank account with a password manager that creates a long random password, but it often creates the same passwords for every user. Malicious people have figured this out and drained funds on any account they can find,” investigators say.
Distrust warns that the effective security is reduced to a point where a powerful gaming PC can brute-force the seeds in less than one day.
Researchers didn’t confirm exactly which wallets had been affected by the Libbitcoin issue or how much crypto may have been stolen but it’s believed that the exploit took place “in the wild” in June and July this year.
Trust Wallet suffered a similar exploit
Popular crypto wallet Trust Wallet lost nearly $170,000 in user funds when it suffered a similar exploit late last year.
The issue, which was discovered via a bug bounty, affected the wallet’s open-source library Wallet Core. It specifically targeted new addresses between November 14 and 23 by browser extension.
Back in April, the company told affected customers to create new wallets and move funds.