TritonRecover: Cryptanalysis of libwally-core Vulnerabilities for Recovering Lost Bitcoin Wallets
With the widespread adoption of Bitcoin cryptocurrency, the problem of preserving and recovering lost wallets is becoming increasingly relevant. The foundation of security in the Bitcoin ecosystem is the reliable generation and storage of private keys. Libwally-core — a widely used cross-platform library implementing cryptographic primitives and operations with Bitcoin wallets — plays a central role in this process. Imperfections and vulnerabilities in libwally-core can lead to loss of funds and compromise user security.
TritonRecover is an innovative cryptanalysis tool specifically designed to identify and exploit vulnerabilities in libwally-core to recover lost or corrupted Bitcoin wallets. This work is dedicated to describing the methodology, implementation, and results of applying TritonRecover.
Overview of libwally-core and Identified Vulnerabilities
Libwally-core is written in C and intended for creating, managing, and signing Bitcoin transactions. Over years of use, the following main types of vulnerabilities have been identified:
- Key generation errors — producing predictable private keys due to insufficient entropy or incorrect calculation of elliptic curve parameters (e.g., the constant N for the secp256k1 group order). This results in invalid keys being mistakenly validated.
- ECDSA signature verification issues, including the signature malleability vulnerability, allowing multiple valid signatures for the same transaction, opening avenues for cryptanalysis.
- Buffer and message processing errors, including overflow, potentially leading to execution of malicious code.
- Base58 encoding errors, causing address spoofing and increased phishing risks.
- Memory management issues, possibly leading to leakage of confidential information.
A systematic study of these vulnerabilities enabled the development of TritonRecover as a tool for their diagnosis and exploitation.
Methodology of TritonRecover
TritonRecover employs advanced cryptanalysis and software diagnostics to detect and exploit libwally-core vulnerabilities. Key areas include:
Key Generation Analysis
- Identification and detailed mathematical analysis of incorrect key generation parameters, such as violations of the valid range [1, N] for private keys, where N is secp256k1 group order.
- Use of low entropy analysis in random number generation to recover private keys.
- Application of elliptic curve properties and algorithmic approaches to detect predictable and invalid keys.
Signature Analysis
- Investigation of ECDSA signature malleability, where a single transaction may have multiple valid signatures.
- Employ lattice basis reduction algorithms and searches for ephemeral nonce values to uncover hidden components of signatures.
- Recovery of private keys from discovered deviations and anomalies.
Interaction with libwally-core
- Integration with libwally-core API to analyze multisignature, hardware, and software wallets.
- Diagnosis of corrupted wallet files and extraction of available data.
Implementation and Results
TritonRecover is implemented as a comprehensive software solution capable of running on multiple platforms. Experiments confirmed:
- The ability to recover private keys even without standard backups or seed phrases.
- High effectiveness when working with wallets vulnerable due to libwally-core deficiencies from 2018–2022.
- Extension of recovery capabilities beyond traditional methods by using cryptanalytic approaches.
- Enhancement of Bitcoin ecosystem security through auditing and threat detection in the library.
TritonRecover demonstrates an innovative approach to recovering lost Bitcoin wallets based on deep cryptanalysis of libwally-core vulnerabilities. It not only expands digital asset recovery options for users but also elevates Bitcoin ecosystem security by timely identification and mitigation of vulnerabilities.
Further development of TritonRecover and similar tools will contribute to improving blockchain infrastructure reliability and protect users’ funds from irreversible loss.
The CVE-2020-12034 vulnerability in the Bitcoin protocol is related to errors in processing non-standard messages. It manifests as incorrect handling of certain non-standard or invalid messages in the Bitcoin network, which can lead to failures in data transmission between network nodes.
A distinctive feature of the method related to this vulnerability is that improper message handling can cause communication failures and potentially lead to node crashes or network disruptions.
In the TritonRecover context, this vulnerability is important because data and message processing errors in libwally-core can be exploited to recover data from corrupted or incomplete Bitcoin wallets. TritonRecover analyzes such errors and anomalies in data arising from CVE-2020-12034 to identify and restore access to lost or damaged keys and wallets.
TritonRecover uses cryptanalytic methods leveraging weaknesses in the handling of non-standard messages to extract information from corrupted Bitcoin wallets, enhancing the chances of successful digital asset recovery. This further emphasizes the importance of proper data handling and protocol security within the Bitcoin ecosystem.
TritonRecover addresses the challenge of recovering lost Bitcoin wallets by identifying and exploiting the CVE-2020-12034 vulnerability related to errors in processing non-standard messages in the Bitcoin protocol in the following ways:
- During transmission and processing of non-standard or corrupted messages in libwally-core, anomalies, errors, and failures may occur, leading to damage or partial loss of wallet data, including private keys and signatures.
- TritonRecover analyzes these non-standard messages and their effects on wallet data using cryptanalysis and memory state analysis methods to detect vulnerable or predictable parameters in keys and signatures.
- Particular attention is given to ECDSA signature processing errors, where due to signature malleability vulnerability, hidden nonce values can be identified and private keys recovered. Through analyzing errors in non-standard messages, TritonRecover reconstructs original private keys from corrupted or incomplete data.
- Additionally, TritonRecover utilizes knowledge about insufficient entropy and improper key validation stemming from CVE-2020-12034 to improve the likelihood of recovering keys that would otherwise be inaccessible.
- TritonRecover converts critical errors in the protocol and libwally-core library, as described in CVE-2020-12034, into practical opportunities for recovering lost Bitcoin wallets and safeguarding users’ digital assets.
TritonRecover recovers lost Bitcoin wallets by detecting the following types of vulnerabilities in libwally-core and related components:
- Key generation vulnerabilities caused by insufficient entropy or flawed random number generation, leading to predictable private keys.
- Signature verification errors, particularly in ECDSA, associated with signature malleability vulnerability that allows invalid signatures to be accepted as valid and exposes private keys.
- Problems with processing long messages that cause buffer overflows and risk execution of malicious code.
- Base58 encoding and decoding errors, increasing risks of fund loss and phishing.
- Memory management problems causing leakage of confidential information.
- Weak entropy filling mechanisms in key generation (e.g., the well-known “Milk Sad” vulnerability — CVE-2023-39910) that limit internal entropy and enable recovery of private keys from poorly randomized data.
Using these vulnerabilities, TritonRecover applies cryptanalytic techniques to recover private keys and seed phrases from damaged, vulnerable, or improperly generated Bitcoin wallets. This significantly enhances recovery capabilities compared to traditional backup-based methods.
Thus, TritonRecover works with vulnerabilities in key generation, signature processing, memory, encoding, and cryptographic primitives in libwally-core, enabling effective recovery of access to lost digital assets.
Features of the Milk Sad vulnerability (CVE-2023-39910) enabling TritonRecover to find lost Bitcoin wallets are as follows:
- The vulnerability is associated with the entropy seeding mechanism in cryptocurrency wallets using the Libbitcoin Explorer library versions 3.0.0–3.6.0, including Trust Wallet and other applications.
- The main flaw is the use of the Mersenne Twister mt19937 pseudorandom number generator, which limits internal entropy to only 32 bits regardless of settings. This greatly reduces the randomness and unpredictability of generated private keys.
- Due to weak entropy, attackers or tools like TritonRecover can drastically reduce the key search space and recover private keys generated from the vulnerable “bxseed” entropy.
- In some cases, knowing the wallet address allows immediate computation of its private key without user interaction.
- TritonRecover uses this cryptanalytic approach to recover lost or stolen keys from damaged or poorly generated wallets, significantly improving recovery efficiency compared to traditional methods.
- Thus, the Milk Sad vulnerability provides TritonRecover the ability to exploit limited key generator entropy, simplifying the recovery of lost Bitcoin wallets created with vulnerable libbitcoin versions and related wallets.
Weak entropy in the Milk Sad vulnerability allows TritonRecover to find hidden Bitcoin wallets due to the following:
- The Mersenne Twister mt19937 random number generator used in vulnerable versions of Libbitcoin Explorer and Trust Wallet restricts internal entropy to only 32 bits, drastically reducing the number of possible private keys generated.
- This limited entropy makes the keyspace predictable and greatly narrows the search area for key recovery.
- As a result, rapid brute forcing and computation of private keys is possible knowing just the wallet address.
- TritonRecover applies cryptanalytic methods leveraging this weak entropy to recover private keys from wallets generated using vulnerable algorithms, effectively making “hidden” wallets accessible.
- Therefore, the vulnerability causes a severe security downgrade for wallets as poor randomness in key generation threatens their confidentiality and integrity.
- In conclusion, TritonRecover exploits the entropy limitation of Milk Sad to find and recover hidden or lost Bitcoin wallets created using vulnerable key generation.
