Home / Crypto News / Wallet Developer OneKey Reports Critical Private Key Vulnerability in Libbitcoin Explorer; Potentially 120K BTC at Risk

Wallet Developer OneKey Reports Critical Private Key Vulnerability in Libbitcoin Explorer; Potentially 120K BTC at Risk

By
No Comments
October 18, 2025 10:30 am

OneKey, the team behind the popular multi-chain wallet, has disclosed a severe vulnerability in the underlying wallet-key-generation library Libbitcoin Explorer (BX) version 3.x, which may have enabled attackers to crack as many as 120,000 Bitcoin private keys. The issue arises from the library’s use of the Mersenne Twister-32 pseudo-random number generator seeded by system time — resulting in a 2³² (~4.29 billion)-bit seed space that is computationally enumerable in practice.

What happened

  • The vulnerability was first disclosed under the codename “Milk Sad” (CVE-2023-39910) and detailed by security researchers pointing out that BX’s bx seed command7 used the Mersenne Twister algorithm seeded with only 32 bits of entropy.
  • According to the disclosure, because the seed space is so small, attackers could brute-force private keys generated via the command-line tool. Real-world exploitation was observed — at least US$900,000 in thefts across Bitcoin and other chains were linked to the flaw.
  • OneKey’s statement expands this risk by noting that several wallet products and browser extensions using Libbitcoin Explorer or the same underlying key-generation libraries may be impacted. Affected products reportedly include:
    • Trust Wallet Extension versions 0.0.172 – 0.0.183
    • Trust Wallet Core version ≤ 3.1.1
    • Other wallet products built on the same vulnerable library.
  • Wallet users who created private keys with the affected versions are being urged to immediately transfer funds to a new wallet that uses a cryptographically secure random-number generator (CSPRNG) with sufficient entropy.

Why it matters

▪ Weak entropy breaks wallet security

Private keys for Bitcoin and many other cryptocurrencies rely on true randomness to remain secure. If the generator is predictable — as is the case with a simple seeded Mersenne Twister-32 when seeded by system time — the key space drastically shrinks, enabling attackers to generate the same private keys. As explained in the disclosure, the effective entropy dropped from 128/256 bits to just 32 bits in some cases.

▪ Mass-impact across wallets

Because Libbitcoin Explorer is a well-known developer toolkit and because wallet developers may inadvertently rely on its bx seed workflow for key creation, the vulnerability potentially impacts large numbers of wallets spanning BTC and other chains. That has systemic risk implications for crypto custodians and users alike.

▪ Trust & reputation risk

Wallet brands like Trust Wallet are named in the disclosure, which may undermine user trust. Developers who reused insecure libraries or patterns may face remediation costs, audits, or litigation risk.

What to do if you’re affected

The researchers and disclosure sites recommend:

  • If you used Libbitcoin Explorer (BX) 3.x to generate wallet seeds or private keys, assume the key is compromised and transfer funds immediately to a secure new wallet.
  • Avoid using any wallet or tool if it explicitly uses bx seed or has documentation indicating non-CSPRNG key generation.
  • Check the version of your wallet1 software and its underlying libraries; upgrade to versions that use robust, audited random-number generation.

What’s next

  • Audit of affected products: Wallet providers such as OneKey, Trust Wallet and others must publish detailed audits and remediation reports documenting which versions are impacted and what steps are being taken.
  • Blockchain forensics: Monitoring of “weak-entropy cluster” wallet addresses may allow tracking of compromised funds and identify attackers or victims.
  • Library updates and ecosystem education: Libbitcoin maintainers should explicitly deprecate bx seed for production use and push clearer warnings; wallet developers must re-examine key-gen flows.
  • Regulatory scrutiny: Given the magnitude of risk, regulators may press wallet providers for disclosure and consumer remediation plans.

Bottom line

The OneKey-reported vulnerability in Libbitcoin Explorer’s key generation (via weak PRNG seed) is a stark reminder that cryptography, randomness and wallet infrastructure remain foundational to crypto asset security. With potentially 120,000 private keys finally crackable, wallet users and developers must act swiftly. If you used any of the affected wallets or tools, treat the situation as urgent and move your funds to a secure wallet that uses true, cryptographically secure randomness.

E73MA784

Suraj SahNews Articles Writer

Suraj Sah is a seasoned expert in the cryptocurrency and blockchain space, known for his deep understanding of market trends, emerging technologies, and digital asset strategies. With a strong passion for decentralized finance and Web3 innovation, he brings clarity to complex topics through well-researched, SEO-friendly news articles and analysis. As a trusted content writer for crypto-focused platforms, Suraj consistently delivers timely, accurate, and engaging content that helps readers stay informed and ahead of the curve. His work reflects a commitment to quality journalism, making him a valuable asset to any crypto or fintech publication.

Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

Related Posts

Tempo Raises $500M at $5B Valuation to Build U.S.-Dollar Payment Infrastructure
Tempo Raises $500M at $5B Valuation to Build U.S.-Dollar Payment ...
October 18, 2025
OpenSea Confirms $SEA Token Launch in Q1 2026, With 50% Community Allocation and Revenue Buybacks
OpenSea Confirms $SEA Token Launch in Q1 2026, With 50% Community ...
October 18, 2025
BlackRock’s Ethereum ETF Acquires 11,770 ETH (≈ $46.9M) on Oct. 16, Highlighting Strong Institutional Demand
BlackRock’s Ethereum ETF Acquires 11,770 ETH (≈ $46.9M) on Oct. 1 ...
October 17, 2025

Category List