diff --git a/_posts/2024-01-23-research-update-5.md b/_posts/2024-01-23-research-update-5.md
index d494c42..ce55714 100644
--- a/_posts/2024-01-23-research-update-5.md
+++ b/_posts/2024-01-23-research-update-5.md
@@ -5,7 +5,7 @@ author: ["Christian Reitter"]
date: 2024-01-23 17:00:00 +0000
---
-Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the IOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.
+Last Friday, we learned of a [newly disclosed vulnerability](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) in the `Trust Wallet` software which is relevant to Milk Sad. Researchers from [SECBIT Labs](https://secbit.io) tracked down an older wallet generation weakness in the iOS platform version of `Trust Wallet` from 2018 and connected it to the large thefts on 2023-07-12 that triggered our Milk Sad research.
Using the newly available information, we managed to reproduce some of their findings, and can give a first look at additional data we collected.
@@ -18,7 +18,7 @@ Using the newly available information, we managed to reproduce some of their fin
## Vulnerability TL;DR
-Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for IOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
+Open source code shows that [a core component](https://github.com/trustwallet/trezor-crypto-ios/commits/master/) of the `Trust Wallet` app for iOS generated new cryptocurrency wallets using unsafe functions in the `trezor-crypto` library that were not meant for production. As a result, their wallet entropy is based on a weak PRNG with 32-bit state that is seeded with easy-to-guess time values. This makes all wallets generated with vulnerable app versions easy to brute force remotely, like the weak `bx seed` mechanism in Libbitcoin. Both weaknesses were attacked on-chain at the same time in July 2023.
If you want to understand this better, we recommend taking a look at the [Trust Wallet's Fomo3D Summer: Fresh Discovery of Low Entropy Flaw From 2018](https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/) disclosure of the SECBIT team.
@@ -31,8 +31,8 @@ The newly disclosed vulnerability comes in two forms. Together with the previous
| Issue | When | Characteristics | Research |
| -- | -- | -- | -- | -- | -- | -- |
| vulnerable Trust Wallet browser extension | 2022/2023 | Mersenne Twister based | [research update #2]({% link _posts/2023-12-06-research-update-2.md %}) |
-| vulnerable Trust Wallet IOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
-| vulnerable Trust Wallet IOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
+| vulnerable Trust Wallet iOS app - **variant A** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [2e528be](https://github.com/trezor/trezor-crypto/commit/2e528be1e91dd48c0e55061fbdd40ccf8b285559) | this article |
+| vulnerable Trust Wallet iOS app - **variant B** | Mid-2018 | `LCG16807` `MINSTD_RAND0` + `trezor-crypto` [009850](https://github.com/trezor/trezor-crypto/commit/009850f6c9afcf60b4c6280afd46868b1a7a1fdd) | this article |
Each weak PRNGs variant make for different ranges of weak wallets. This article is _exclusively_ about the two newly discovered variants, and does not cover the Mersenne Twister based vulnerability.
@@ -64,8 +64,8 @@ Within the wallet ranges with 12 mnemonic words (128 bits), we found the followi
* Wallet generation: variant A entropy -> BIP39 -> BIP32.
* Wallet generation: variant B entropy -> BIP39 -> BIP32.
* The 18 word and 24 word ranges in Variant A seem to be mostly unused, we focused on 12 word.
-* Ethereum wallet detection is based on a known incomplete bloom filter dataset from mid-2023.
-* Bitcoin wallet detection is based on a bloom filter dataset from 2024-01-15.
+* Ethereum wallet detection is based on a known incomplete bloom filter data set from mid-2023.
+* Bitcoin wallet detection is based on a bloom filter data set from 2024-01-15.
Based on the current preliminary (incomplete!) data, we're counting at least **3440** unique wallet mnemonics.
@@ -77,7 +77,7 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
{% responsive_image_block %}
figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
- alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS
variant A & B - 128 bit wallets
Yearly X-Axis timestamp markers"
+ alt: "Histogram of PRNG creation index for discovered wallets
Trust Wallet iOS variant A & B - 128 bit wallets
Yearly X-Axis timestamp markers"
target_width: 1100px
{% endresponsive_image_block %}
@@ -87,31 +87,34 @@ We mapped out the discovered BTC and ETH wallets in a histogram plot to better u
* 2019-01-01: **1,546 x 10⁹** timestamp
* 2020-01-01: **1,578 x 10⁹** timestamp
* Total range shown: 2010-01-01 to 2025-01-01
-* Y-Axis capped for readability
+* Y-Axis capped for readability, data is not stacked
Two main observations:
1. The majority of Bitcoin and Ethereum wallets have a PRNG seed that corresponds to wallet creation timestamps from 2018 and 2019.
2. There is a smaller number of wallets with a more "random" pattern.
-Point 1) generally fits to the publicly known timeline of the `Trust Wallet IOS` development and vulnerability (but is not a hard confirmation).
+Point 1) generally fits to the publicly known timeline of the `Trust Wallet iOS` development and vulnerability (but is not a hard confirmation).
Point 2) indicates that there is some other source of weak wallets in this range that is less time based. Alternatively, it's possible that a subset of app devices had bad clocks for some reasons when creating the wallets.
-Since the situation in 2018-2019 is very busy, here is a zoomed in version:
+Since the situation in 2018-2019 is very busy, here is a zoomed-in and annotated version:
{% responsive_image_block %}
figure: true
path: assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
- alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet IOS
variant A & B, 2018-05 to 2020-01"
+ alt: "Histogram of PRNG creation index for discovered wallets - Trust Wallet iOS
variant A & B, 2018-05 to 2020-01, data is not stacked"
target_width: 1100px
{% endresponsive_image_block %}
A possible interpretation of the graph history:
-* Weak wallets of variant A appear with the first weak software version
-* Weak wallets of variant B appear once a differently vulnerable software version gets released, new wallets of variant A get more rare
-* A patched version get released
-* Historically high BTC prices makes users with existing weak wallets create Bitcoin accounts (?)
-* Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get the patched app versions yet
+1. Parameter space "before" the vulnerable `Trust Wallet` versions
+2. Weak wallets of variant A appear with the first weak software version
+3. Weak wallets of variant B appear once a differently vulnerable software version gets released
+ * -> New wallets in variant A get more rare
+4. A patched version get released
+ * -> New wallets in variant B get more rare
+5. Historically high BTC prices motivate users to create new wallet mnemonics for Bitcoin accounts (?)
+6. Some users of both vulnerable software versions keep creating weak wallets months later, likely because did not get or install the patched app versions yet
### Bitcoin On-Chain Movements
Here is an _initial, incomplete_ analysis of BTC movements to and from weak wallets based on our initial data:
@@ -141,7 +144,7 @@ Note: this describes funds moved over the weak wallets that have been at risk at
### Involvement in the 2023-07-12 Theft
Here are the three biggest outgoing theft transactions from the newly disclosed range of weak wallets on 2023-07-12:
-| Transaction | Volume variant A
(`Trust Wallet IOS`) | Volume variant B
(`Trust Wallet IOS`) | Transaction total volume | Date |
+| Transaction | Volume variant A
(`Trust Wallet iOS`) | Volume variant B
(`Trust Wallet iOS`) | Transaction total volume | Date |
| - | - | - | - |
| {{ "81cfe97cc16a49398d6986032ec8f6970ea80df5aa0990dcf0164de87136f5bf" | BtcLinkTxUrlSliced }} | -4,829 BTC | -3,481 BTC | -9,744 BTC | 2023-07-12 12:41 |
| {{ "cdd9a2aff7cd0707e31023513cc78aceff7ea7e754e3a9bde9c0482b70a9716c" | BtcLinkTxUrlSliced }} | -8,161 BTC | none | -8,161 BTC _(incl. fee)_ | 2023-07-12 12:41 |
@@ -158,8 +161,8 @@ At the time of publication, less than $100 USD in total remain on the known BTC
## Summary & Outlook
-In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on IOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
+In this research update, we've followed up on work by other security researchers who discovered two large new ranges of weak cryptocurrency wallets from (most likely) an older vulnerability in `Trust Wallet` on iOS. We confirmed that these weak wallets exist and that they were involved in the Milk Sad thefts. We also provided new statistics on their distribution and usage.
-This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blogpost with some new information as it becomes available.
+This is an exciting new piece of the overall Milk Sad puzzle, and we'll likely update this blog post with some new information as it becomes available.
\ No newline at end of file
diff --git a/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png b/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png
index 2ef6530..8974b75 100644
Binary files a/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png and b/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2010_2025_graph1.png differ
diff --git a/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png b/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png
index 8107786..939d164 100644
Binary files a/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png and b/assets/images/graphs/trustwallet2ab_bip39_128bit_only_histogram_btc_eth_prng_index_2018_2019_graph2.png differ