ZecSec: Zcash Ecosystem Security

If you used libbitcoin-explorer (bx) to generate your seed phrase, rotate it ASAP!

A critical vulnerability has been discovered in libbitcoin-explorer (command-line tool bx), known as “milk sad”.

If at any point in the past, you may have used the bx seed tool to generate your crypto wallet’s seed phrase, you must IMMEDIATELY generate a new seed phrase using an up-to-date secure wallet and move your funds to the new wallet.

The bug in bx seed is simple: it used only the system’s time as a source of randomness when generating seed phrases. As a result, bx seed could only ever produce one of around 4 billion seed phrases. This set of 4 billion seed phrases can easily be re-generated by attackers, and funds are currently being stolen from wallets using one of these seed phrases.

Similar bugs have existed in Cake Wallet and Trust Wallet, see the details in the milk sad discoverers’ technical writeup. If you used those wallets, I recommend re-generating a new seed phrase as well.

As far as I know, other wallets are not affected by this bug. To protect yourself against these kinds of bugs, be sure to only use a wallet which has undergone an independent security review.