From 42463bd7e3d8eaa42bb16f051b677151e2046e1b Mon Sep 17 00:00:00 2001
From: Christian Reitter <invd@inhq.net>
Date: Tue, 13 Feb 2024 18:39:45 +0100
Subject: [PATCH] Add blog posts no.6

---
 _posts/2024-02-13-research-update-6.md | 29 ++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 _posts/2024-02-13-research-update-6.md

diff --git a/_posts/2024-02-13-research-update-6.md b/_posts/2024-02-13-research-update-6.md
new file mode 100644
index 0000000..d63ca4c
--- /dev/null
+++ b/_posts/2024-02-13-research-update-6.md
@@ -0,0 +1,29 @@
+---
+layout: post
+title: "Update #6 - Cake Wallet Vulnerability PSA"
+author: ["Christian Reitter"]
+date: 2024-02-13 17:00:00 +0000
+---
+
+This post is a **Public Service Announcement**:
+Several vulnerable versions of the cryptocurrency wallet software `Cake Wallet` released in 2020-2021 created [extremely weak Bitcoin wallets](https://www.reddit.com/r/Monero/comments/n9yypd/urgent_action_needed_for_bitcoin_wallets_cake/).<br/>
+If you're a Cake Wallet user or know someone who is, we urgently recommend checking if you
+-> still use a **vulnerable old wallet software version**
+-> still use an **old and weak Bitcoin mnemonic seed generated with a vulnerable version**<br/>
+Affected wallets are at risk of immediate and complete loss of all Bitcoin funds.
+
+If you think this affects you, we strongly recommend moving your funds to a new Bitcoin wallet generated by a known-good `Cake Wallet` application version (or a different cryptocurrency wallet software).
+
+## Context
+
+Bitcoin wallets generated with vulnerable `Cake Wallet` versions are based on insecure randomness, which means that the secret keys for them can be reconstructed and misused by attackers similarly to the other wallet vulnerabilities we've described on this website. This has been well-known since the vendor's public Reddit [advisory post](https://www.reddit.com/r/Monero/comments/n9yypd/urgent_action_needed_for_bitcoin_wallets_cake/) on 2021-05-11.
+
+The vulnerable wallet mnemonics are 12-word [seed phrases in Electrum format](https://electrum.readthedocs.io/en/latest/seedphrase.html) and all have the "Segwit" type. They look like normal BIP39 mnemonic phrases but are incompatible, meaning only Electrum-compatible software can use them. Other coin types and mnemonic format variations are not affected, based on what we know at the moment.
+
+Possible scenarios of why this can still be relevant today:
+- The user still has a `Cake Wallet` application version before `v4.1.7` installed that was never patched, and continues to use it. This could happen via a manual Android `.apk` installation, for example.
+- The user generated and exported a weak wallet mnemonic from a vulnerable `Cake Wallet` version and re-imported it in a newer `Cake Wallet` version or other compatible wallet software such as Electrum.
+
+We're in contact with `Cake Labs` about this. Starting with version `v4.12.0` released in December 2023, `Cake Wallet` will try to detect and warn about the continued local use of known vulnerable mnemonics due to our help, which covers [a known subset of ca. 8700 wallets](https://github.com/cake-tech/cake_wallet/pull/1238/files#diff-f0e3a7e177b8361801485b78f89e31eb8667f5084044ba4e63ff53780e974059).
+
+More information and technical details will follow at a later date.
\ No newline at end of file