9 hours ago
12
TLDR:
- Libbitcoin bx 3.x used a weak Mersenne Twister-32 RNG, exposing about 120k Bitcoin private keys.
- Trust Wallet versions 0.0.172–0.0.183 and Core ≤3.1.1 were vulnerable to brute-force attacks.
- OneKey hardware wallets generate keys via Secure Element with true RNG, fully cryptographically safe.
- OneKey software wallets rely on OS-level CSPRNG ensuring high-quality randomness for private key generation.
A recent crypto security alert has raised alarms over the potential exposure of around 120,000 Bitcoin private keys. The vulnerability stems from Libbitcoin Explorer (bx) 3.x, which used predictable random-number generation.
Trust Wallet and other products integrating bx 3.x were reportedly affected. OneKey clarified that its wallets, both hardware and software, remain unaffected. Security assessments confirm that OneKey employs robust cryptographic standards to protect users’ assets.
Libbitcoin Flaw Puts Thousands of Bitcoin Keys at Risk
Security researchers flagged a critical flaw in Libbitcoin Explorer 3.x. The software used a Mersenne Twister-32 algorithm seeded solely by system time. Because the seed space is only 2³², attackers can predict random numbers.
Wu Blockchain highlighted that the flaw could expose around 120,000 Bitcoin private keys.
Trust Wallet extensions v0.0.172–0.0.183 and Core versions up to 3.1.1 were affected. Other wallets using the same libraries also faced potential risks. The vulnerability allows attackers to reconstruct the PRNG seed and derive private keys.
A standard high-performance PC could enumerate all possible seeds in days.
OneKey addressed these concerns, clarifying its products were never impacted. OneKey emphasized that the Milk Sad incident did not compromise any hardware or software wallet. Its security team assessed the situation and confirmed no private keys were exposed.
Researchers warn users not to import mnemonics from software wallets into hardware wallets. Doing so may reduce the cryptographic strength of the keys. Users of affected Trust Wallet versions are encouraged to update immediately.
The vulnerability disclosed in the Milk Sad incident does not affect the mnemonic or private key security of any OneKey hardware or software wallet.
Vulnerability Overview
The issue originated from Libbitcoin Explorer (bx) 3.x, which generated random numbers using the Mersenne… pic.twitter.com/BsqhFIeNsl
— OneKey (@OneKeyHQ) October 17, 2025
OneKey Wallet Security and Randomness Standards
OneKey hardware wallets generate keys using a Secure Element with a true random number generator. The SE is EAL6+ certified and meets international cryptographic standards. Legacy devices also rely on tested internal TRNGs.
Randomness quality passes NIST SP800-22 and FIPS-140-2 evaluations, ensuring key unpredictability.
OneKey software wallets use operating system cryptographically secure PRNGs. Desktop and browser wallets rely on Chromium WASM APIs, while mobile wallets use system-level CSPRNGs. This setup maintains robust cryptographic integrity. OneKey advises using hardware wallets for long-term asset storage.
The company highlighted that the quality of software wallet randomness depends on the device’s OS and hardware. If compromised, entropy could weaken, potentially affecting security.
OneKey published detailed entropy assessments and certification files for user verification.
For crypto investors, the takeaway is clear: OneKey hardware wallets provide a secure environment while certain older libraries remain vulnerable. Regular updates and caution with mnemonics are critical.
English (US) ·