2024-12-30 –, Saal GLITCH
Language: English
We present Milksad, our research on a class of vulnerabilities that exposed over a billion dollars worth of cryptocurrency to anyone willing to 'crunch the numbers'.
The fatal flaw? Not enough chaos.
Learn how we found and disclosed issues in affected open source wallet software, brute-forced thousands of individual affected wallets on a budget, and traced over a billion US dollars worth of prior transactions through them.
In July 2023, people in our circle of friends noticed a series of seemingly impossible cryptocurrency thefts, which added up to over one million US dollars.
A common denominator was discovered across the set of victims we knew: the wallet software libbitcoin-explorer
. Vulnerable versions used a weak pseudorandom number generator when creating cryptocurrency wallets. Within a short period of time, we disclosed the vulnerability, CVE-2023-39910.
Using this weakness, attackers were able to compute private keys of victims, which is supposed to be impossible under normal circumstances.
In this talk we
* 📜 - tell the story of uncovering a digital currency heist
* 🌐 - dive into similar vulnerabilities
* 🔍 - trace the movement of coins
* ⚖ - outline ethical challenges of cryptocurrency security research
* 🛡 - explore methods to defend and protect against this bug class
Our intention is to share the story of how little details can have big consequences and the importance of quality chaos.
- Grew up with big trees, waves, and creatures along the Mendocino Coast
- Fell in love with the magic of open source medical hardware + software in university and helped establish NeuroTechX
- Drawn to ‘safety + security’ work of all kinds
- Discovered open source money systems and dove into the cryptocurrency security field
- Worked at some of the larger cryptocurrency institutions in the industry
- Distrusts Software Supply Chains as much as residents of Flint, Michigan distrust water supply chains
- Sometimes helps distribute security tokens to the people great-mfa-project 36c3 -- Session: Yubikey 101
- Enjoy environments where “All Creatures are Welcome”
- Somehow affiliated with the Church of Cryptography
- Typically hanging out with friends who provide free shell services for the curious hashbang.sh