11:00
-
11:40
-
11:40
Tag 4
Dude, Where's My Crypto? - Real World Impact of Weak Cryptocurrency Keys
We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'.
The fatal flaw? Not enough chaos.
Learn how we found and disclosed issues in affected open source wallet software, brute-forced thousands of individual affected wallets on a budget, and traced over a billion US dollars worth of prior transactions through them.
In July 2023, people in our circle of friends noticed a series of seemingly impossible cryptocurrency thefts, which added up to over one million US dollars.
A common denominator was discovered across the set of victims we knew: the wallet software libbitcoin-explorer. Vulnerable versions used a weak pseudorandom number generator when creating cryptocurrency wallets. Within a short period of time, we disclosed the vulnerability, CVE-2023-39910.
Using this weakness, attackers were able to compute private keys of victims, which is supposed to be impossible under normal circumstances.
In this talk we
- 📜 - tell the story of uncovering a digital currency heist
- 🌐 - dive into similar vulnerabilities
- 🔍 - trace the movement of coins
- ⚖ - outline ethical challenges of cryptocurrency security research
- 🛡 - explore methods to defend and protect against this bug class
Our intention is to share the story of how little details can have big consequences and the importance of quality chaos.