Cryptocurrency self-custody wallet OneKey has revealed a vulnerability that could impact up to 120,000 Bitcoin private keys. The flaw stems from the Libbitcoin Explorer (bx) 3.x library, which several wallets used to generate private keys. The issue, discovered after the Milk Sad incident, exposes wallets to brute-force attacks because the library relied on a weak random-number algorithm.
According to the OneKey report, the problem originated from bx’s use of the Mersenne Twister-32 algorithm. It generated random numbers using only the system time as a seed, which limited randomness to 2³² possible values. Consequently, attackers could predict wallet keys by testing all possible seeds within days.
“The vulnerability disclosed in the Milk Sad incident does not affect the mnemonic or private key security of any OneKey hardware or software wallet,” the company confirmed on X.
OneKey’s security evaluation
OneKey conducted a comprehensive test across macOS, Windows, Android, and iOS to assess the quality of its mnemonic generation. The findings confirmed that all platforms use cryptographically secure random number generators following NIST SP 800-22 and FIPS 140-2 standards. Moreover, OneKey’s browser version uses a built-in Chrome security tool to create random numbers, while its Android and iOS apps use secure systems built into each phone’s operating system.
Besides, every OneKey hardware wallet has its own chip that makes random numbers inside the device, following strict security rules to lower tampering risks. Older models also use built-in systems that meet global security checks. However, OneKey advised users not to move recovery phrases made on software wallets into hardware ones, since weaker randomness could make private keys easier to guess.
At the same time, experts from Cisco Talos and Google found that a North Korean hacking group called Famous Chollima is hiding malware inside blockchain smart contracts. The group uses a new trick called “EtherHiding” to sneak in harmful code, mainly targeting job seekers through fake interviews to steal their crypto and personal information.
The discovery shows how crucial real randomness is when creating wallet keys. Hardware wallets that generate their own keys make it harder for hackers to guess them.
Also Read: Binance Investigated by French Authorities for Money Laundering
