Research . Vulnerability
MilkSad: the bx seed weakness (CVE-2023-39910)
Part of our weak-randomness research: see the Weak randomness in crypto wallets overview.
Wallets generated with libbitcoin-explorer’s bx seed command drew their entropy from a clock, not from real randomness — which makes them predictable, and, for their rightful owners, recoverable.
MilkSad, catalogued as CVE-2023-39910, is one of the clearest weak-randomness failures in cryptocurrency history. It affects wallets whose seed was produced by the bx seed command in libbitcoin-explorer. The name comes from the mnemonic of the weakest possible seed, which begins “milk sad…”. This page explains the flaw and how recovery works for an owner of an affected wallet.
What the Milksaw flaw is
To create a wallet you need genuine randomness. The bx seed tool instead seeded a Mersenne Twister pseudo-random generator (MT19937) with the system time in seconds — a 32-bit value. That collapses the entire keyspace: instead of astronomically many possible seeds, there are only about four billion, and in practice far fewer, because the creation time is usually known to within a window. Anyone who knows roughly when a wallet was made can regenerate the exact seed it produced.
Who is affected
Any wallet whose seed entropy came from bx seed is affected, across the years the tool carried the flaw (roughly 2011–2023). That includes people who used libbitcoin-explorer directly and, importantly, anyone who followed a tutorial or script that called bx seed under the hood to generate a mnemonic. If your BIP39 phrase was created that way, its security never existed — the phrase was one of a small, enumerable set.
Why the time seed is fatal
A Mersenne Twister is deterministic: the same seed always produces the same stream. So the seed value is the only secret, and here that value was just a timestamp. Reproducing a wallet becomes: iterate over the candidate seconds in the plausible creation window, run each through the same MT19937 to produce the same entropy, derive the resulting mnemonic and addresses, and check against the known address. Because a day is only 86,400 seconds and a year about 31 million, the search finishes quickly on ordinary hardware. This is the same class of failure as Randstorm — predictable randomness — in a different tool.
How recovery works for the owner
The same predictability that makes MilkSad dangerous makes an affected wallet recoverable for its rightful owner. If you created a wallet with an affected tool and later lost the mnemonic, we can regenerate it: with an approximate creation date and one known address from the wallet, we sweep the timestamp range through the MT19937 derivation until the addresses match, then reconstruct the exact seed. We do this only for wallets you own and can demonstrate a connection to — the point is to return funds to their owner, not to enable theft.
If you think you’re affected
If a wallet of yours may have been generated with bx seed or a tool built on it and it still holds funds, treat it as compromised: move the funds to a new wallet created with a properly random seed as soon as you can, because anyone else can regenerate the old one too. If you’ve already lost access, recovery is realistic precisely because of the flaw — the same method that an attacker would use is the one that returns your coins to you.
How much was at risk
The consequence of a four-billion-seed keyspace is that affected wallets can be swept en masse by anyone who runs the enumeration — and some were. Because the flaw sat in a widely used command-line tool, the exposure spread through every script, tutorial and downstream project that called it to “generate a secure seed”. That is the quiet danger of a weak-randomness bug: it doesn’t announce itself, the wallets look normal, the mnemonic looks like any other twelve words, and the weakness is invisible until someone enumerates the seed space. For an owner, the practical takeaway is that the balance can vanish at any time, so an affected wallet should be emptied into a fresh one immediately.
Weak randomness is a recurring pattern
MilkSad is not an isolated mistake; it belongs to a family of failures where a wallet’s randomness came from something predictable — a clock, a browser quirk, a flawed platform generator. Randstorm collapsed the entropy of early browser wallets; the 2013 Android SecureRandom flaw leaked keys through repeated signature nonces; the 2014 Ethereum presale generator leaned on browser Math.random for parts of its process. The common thread is that the cryptography was sound but the seed was not, and in every case the same predictability that enabled theft also enables recovery for the rightful owner. This is a core strand of our research, because a large share of “lost” early crypto is really weak-randomness crypto waiting to be reconstructed.
Disclosure and our work
MilkSad was publicly disclosed in 2023 by the security researchers behind the milksad.info advisory and assigned CVE-2023-39910; credit for the discovery is theirs. KeychainX’s contribution is on the recovery side: we have built and run the time-seed reconstruction against affected wallets for their owners, as part of our wider work on weak-randomness recovery (see our Randstorm research for the closely related browser-wallet case). We reference the original advisory for the full technical disclosure.
Часто задаваемые вопросы
What is MilkSad?
A weak-entropy vulnerability (CVE-2023-39910) in libbitcoin-explorer’s bx seed command, which seeded a Mersenne Twister with 32-bit system time — making the resulting seeds predictable and enumerable.
Is my wallet affected?
If your seed was generated with bx seed, or a tool/tutorial that used it, yes. The security of that phrase never existed; move any funds to a wallet with a properly random seed.
Can a MilkSad wallet be recovered if I lost the seed?
Often yes, for the owner. With an approximate creation date and a known address, we regenerate the seed by sweeping the timestamp range through the same derivation until the addresses match.
Who discovered MilkSad?
The researchers behind the milksad.info advisory disclosed it in 2023 (CVE-2023-39910). KeychainX works on the recovery side for affected owners.
Сколько стоит восстановление?
Success-based: a percentage of the recovered value only if we recover the wallet, and nothing upfront.
Wallet made with a weak tool?
If your seed may have come from bx seed and you’ve lost access, it’s likely recoverable. Tell us the wallet and an approximate date — honest assessment within 24 hours.
