Libbitcoin, a comprehensive suite of tools created by British-Iranian anarchist developer Amir Taaki and a group of open-source coders in 2011, has been featured in Bitcoin educator Andreas Antonopoulos’s popular book Mastering Bitcoin. However, after roughly $900,000 disappeared from various user wallets over the past few months, Libbitcoin has turned out to be unsafe.
According to a report on milksad.info, hackers discovered an obscure vulnerability in a number of wallets generated by the Libbitcoin explorer, called BX. This vulnerability, dubbed Milk Sad, allowed the hackers to secretly steal funds from unsuspecting users. The most significant heist – 29.65 bitcoin (BTC) worth about $870,000 at current rates – took place July 12.
The vulnerability was caused by BX’s text command bx seed, which uses the clock on a developer’s computer to produce a seed phrase for creating a wallet. This seed phrase was insufficiently random, allowing malicious people to brute-force search or guess all possible word combinations for a user’s seed phrase.
Eric Voskuil, BX’s lead developer, admitted that the seed generator was indeed insecure, but insisted there was no bug in the software. However, several cryptographers in the Bitcoin community disagreed. The case is crystal-clear, tweeted Tim Ruffing, cryptographer at Bitcoin infrastructure firm Blockstream. It’s your bug, period.