milksad
/
website-public
14
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update first blogpost with new information

This commit is contained in:
Christian Reitter 2023-12-02 16:49:19 +01:00
parent c91b80c3aa
commit 3e5813df85
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
_posts/2023-11-22-research-update-1.md
View File

@ -1,8 +1,9 @@
---
layout: post
title: "Research Update No. 1 - New bx Data, ETH, Service Changes"
author: "Christian Reitter"
author: ["Christian Reitter"]
date: 2023-11-23 00:00:00 +0000
last_modified_at: 2023-12-02 16:00:00 +0000
---
Three months have passed since discovering the explanation for the observed thefts and our intense sprint towards the initial publication of the `Milk Sad` vulnerability in the blockchain-explorer `bx` wallet software. By quickly publishing, we fulfilled our primary goal of telling the world about the issue - providing an explanation for affected victims, and hopefully sparing some future users from the same fate. The disclosure also raised the public profile of the weak Pseudorandom Number Generators (PRNGs) vulnerability class and underlined the catastrophic impacts it can have in the cryptocurrency world.
@ -24,15 +25,16 @@ Our updated current statistics on discovered wallets and path usage are as follo
| BIP39 entropy bit length <br/>_mnemonic length_ | 128 bit<br/>_12 words_ | 160 bit<br/>_15 words_| 192 bit <br/>_18 words_| 224 bit <br/> _21 words_| 256 bit <br/>_24 words_|
| -- | -- | -- | -- | -- | -- | -- |
| `m/44'/0'/0'/0/0` path | 8 | 0 | 2 | 0 | 14 |
| `m/44'/0'/0'/0/0` path, compressed, P2PKH | 8 | 0 | 2 | 0 | 14 |
| `m/44'/0'/0'/0/0` path, uncompressed, P2PKH | 0 | - | 0 | - | 1 |
| `m/49'/0'/0'/0/0` path | 1 | 0 | 1 | 0 | 2634 |
| `m/84'/0'/0'/0/0` path | 0 | 0 | 1 | 0 | 9 |
| -- | -- | -- | -- | -- | -- |
| sum of unique wallet private keys | 9 | 0 | 4 | 0 | 2654 |
| sum of unique wallet private keys | 9 | 0 | 4 | 0 | 2655 |
In the 256 bit range, there are two wallets which used multiple paths.
In the 256 bit range, there are two wallets which used multiple paths. Ranges marked with `-` were not tested.
The total number of known weak BIP39 private keys with Bitcoin Mainnet usage (on the analyzed paths and address formats) in this range is therefore **2667**.
The total number of known weak BIP39 private keys with Bitcoin Mainnet usage (on the analyzed paths and address formats) in this range is therefore **2668**.
Additional notes:
* Our search doesn't detect wallets used exclusively with an additional BIP39 user passphrase, non-standard path use or multisig wallets.
@ -58,17 +60,18 @@ We found the following new Bitcoin wallets:
| entropy bit length | 128 bit | 192 bit | 256 bit | 512 bit |
| -- | -- | -- | -- | -- |
| number of wallets, `m/` path | 2 | 54 | 12 | 1 |
| number of wallets, `m/` path, compressed, P2PKH | 2 | 54 | 12 | 1 |
| number of wallets, `m/` path, uncompressed, P2PKH | 0 | 12 | 0 | 0 |
Overall, we discovered **69** such new wallets in total.
Overall, we discovered **81** such new wallets in total.
Additionally, we did not find any wallets in the following bit length range variations: 64 bit, 160 bit, 224 bit, 384 bit, 768 bit, 1024 bit, 2048 bit, 3072 bit, 8192 bit.
Additionally, we did not find any wallets in the following bit length range variations: 64 bit, 160 bit, 224 bit, 384 bit, 768 bit, 1024 bit, 2048 bit, 3072 bit, 8192 bit while searching for compressed public key P2PKH wallets on the base path.
A noteworthy detail here is the apparent trend towards `192 bit` wallets, which is the default bit length of `bx seed`. It appears that users of `bx ec-new` had less reason or motivation to override the default settings, which is different from the BIP39 keys where 24-word (256 bit) and 12-word (128 bit) mnemonics were more popular. One possible explanation is that users were less concerned with compatibility of the generated private key by other software, since it's not widely used elsewhere.
Some relevant facts about the discovered wallets from ec-new:
* Earliest use on 2016-12-15, likely with a pre-release version of `bx` `3.0.0`. All other usages are after the official release date.
* Overall, a total cumulative volume of **111.94BTC** has moved across the weak wallets of this type (estimate based on known address history).
* Overall, a total cumulative volume of **112.86 BTC** has moved across the weak wallets of this type (estimate based on known address history).
* The last large outgoing transaction from this set of wallets is [3a5b1c78..f54fe376](https://mempool.space/tx/3a5b1c7816217f56a583f7dc910ffef2d022ed69e3c599e82bb4813df54fe376) with **1.13 BTC**, which happened on 2023-03-31 18:58. It is unclear to us if this is theft or a legitimate movement.
* The attacker behind the [2023-07-12 main theft]({% link disclosure.md %}#ongoing-on-chain-thefts---some-facts) found and used at least one of these private keys, as proven by stealing from [1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx](https://mempool.space/address/1JUdUgFm7B9GZihtf4jtryCmt4YcRMaJGx) via one of the three main theft transactions. The stolen amount was small: **0.0015 BTC**, less than $50 at the time.
* In August 2023, several small outgoing transactions moved other remaining funds, which individually were worth a few dollars. We think these were intentionally skipped by the main attacker due to the their low value considering the transfer fee overhead, and are now slowly swept by other opportunistic thieves. The primary destination address for this is [bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd](https://mempool.space/address/bc1q0yxd9avwy2wnj7lpj35v5d5n5ejfn79mk37xgd).
@ -107,4 +110,8 @@ Our research has led us deeper into the Mersenne-Twister rabbit hole, and we hav
Stay tuned!
## Page updates
This post was updated with newer statistics.
<br/>