The CVE-2023-39910 vulnerability in Libbitcoin's Bitcoin Explorer tool and the BitForge vulnerability suite, which affects crypto wallets at the MPC protocol level, could have allowed potential cryptocurrency theft.
Security researchers from the Milk Sad project have discovered a vulnerability, dubbed CVE-2023-39910, which affects cryptocurrency wallets generated using Libbitcoin's Bitcoin Explorer tool.
According to the team of researchers, consisting of Distrust core team Anton Livaja, Lance Vick, Ryan Heywood, Shane Engelman, and a group of 8 independent researchers, the CVE-2023-39910 vulnerability allows malicious actors to access the private keys of users. Crypto wallets created with versions prior to v3.0.0 of Libbitcoin that use the Mersenne Twister pseudo-random number generator (PRNG). This is possible due to a bug originating in PRNG, which affects the entropy seeding mechanism of crypto wallets and allows attackers to exploit the pseudo-random number generator to brute-force crypto wallets’ private keys within a few days.
The vulnerability was discovered while researchers were looking into a number of mysterious cryptocurrency thefts, including a theft of $850.000 worth of Bitcoin that occurred between June and July.
But in addition to CVE-2023-39910, a separate investigation by the Fireblocks team found another vulnerability called BitForge, which affects several of the most widely adopted implementations of multi-party computation (MPC) protocols, including GG-18, GG-20 and Lindell17.
BitForge was classified by Fireblocks as a “zero-day” vulnerability that puts about 15 cryptocurrency wallets at risk by allowing an attacker to access the private keys of these digital asset wallets.
The risks of crypto wallets generated with Libbitcoin
The world of cryptocurrencies and blockchain technology is full of great benefits, but also great risks. Although security has always been a pressing concern for blockchain developers, vulnerabilities, bugs and challenges still exist.
In the case of CVE-2023-39910, Milk Sad researchers highlighted that the vulnerability can steal funds from a cryptocurrency wallet, even if its user keeps the private keys on paper inside a safe. And how is this possible?
The researchers explained that the key point of vulnerability is the weak random number generator.
The practical security of a cryptowallet generated with any version of Libbitcoin prior to v3.0.0 is reduced from 128 bits, 192 bits, or 256 bits to just 32 bits of unknown key information. “A 32-bit keyspace is 2^32, or 4.294.967.296 different unique combinations of BIP39-derived mnemonic phrases or other (BIP32) key formats… That’s not as many combinations as it seems,” the security researchers noted.
Due to the “insufficient” number of unique combinations of mnemonic phrases, an attacker could perform a Brute force search to find the combination of a cryptocurrency wallet in less than a day, using a decent computer or gaming PC and at this point it wouldn't matter if the owner of the crypto wallet keeps his seed phrase very well guarded, as the attacker being in possession of the private keys could steal the funds remotely.
The recommendation of Milk Sad researchers to users who use crypto wallets generated with Libbitcoin is move your funds to a new secure wallet, to avoid the possibility of being affected by this vulnerability.
More than 15 crypto wallets affected by BitForge
On the other hand, the vulnerability discovered by Fireblocks affects more than 15 major cryptocurrency wallet providers, including blockchains and open source projects.
The vulnerability allows an attacker to leak the full private key of a cryptocurrency wallet due to a missing zero-knowledge proof in the GG18 and GG20 protocols. In the case of the Lindell17 protocol, the vulnerability can be exploited in those implementations that deviate from the academic paper's specification and that mishandle failed signatures, creating a backdoor that allows attackers to access private keys when the signature fails.
The developers and providers of the affected cryptocurrency wallets are currently updating their implementations to patch the vulnerability and ensure user safety.
Continue reading: Chema Alonso: «AI can be used to carry out phishing attacks»
