Just had yet another person (hard to count the total now) reach out about a low-entropy seed they generated and were allowed to import into a certain hardware wallet. A lot of the blame for these lost funds falls on influencers who shill users on overly-complex security setups without properly explaining the massive risks and tradeoffs associated for the average user.
What happened
Less than 10min after funds were sent to what they thought was secure storage, they were swept to an attackers address.
They used <10 dice rolls, meaning the private key had <25bits of entropy when the minimum for strong security is 50 dice rolls (128 bits of entropy). Wallets should not allow a user to import a seed that they know is completely insecure.
Staying safe
As I have said many times, if you don't know the ins and outs of dice rolls, entropy, verification of the resulting seed offline, etc. please do not use dice rolls alone for seed generation. 99.99999% of users are better off allowing good, multi-source, open-source random number generation like we do on Passport.
To date I have heard of zero compromised seeds that were generated using on-board RNG due to entropy issues, while there are countless examples of users losing funds due to improper dice rolls.
Stay safe out there, folks.
213 sats \ 2 replies \ @KLT 15 Feb
Staying in my lane and would never even attempt dice rolls. People always want to make things complicated. When in doubt, keep it simple. Damn.
reply
Yeah, fuck this whole bitcoin thing. My financial advisor just told me to keep my money in savings account since interest rates are high. I'm gonna let him take the 0.75% management fee and stay in my lane.
reply
0 sats \ 0 replies \ @KLT 16 Feb
Haha the fiat lane isn’t doing us any favors!
reply
249 sats \ 3 replies \ @oomahq 15 Feb
IMO the wallet is more at fault than the users.
No software should produce a seed without enough dice rolls/entropy.
reply
Software can't stop user error. You can turn anything into 23 words and enter into a device without it knowing how you made them. But yes, if it is rolls entered into device, they should change this regardless.
reply
21 sats \ 1 reply \ @anon 16 Feb
Sure, but you can't write unit tests (or any tests for that matter) for this bug.
This is why entropy bugs are so completely evil. They're the one class of bugs you can't test for.
So just saying "well software shouldn't have these bugs" is sticking your head in the sand. This class of bugs is special.
reply
How so? Seems rather straightforward.
Assert exception thrown when generate_seed() called with less than 50 dice rolls.
reply
52 sats \ 2 replies \ @sime 15 Feb
Don't roll your crypto. Don't roll your own dice.
reply
0 sats \ 1 reply \ @anon 16 Feb
Don't be your own bank?
reply
Do you think Satoshi rolled his own dice? His funds still seem pretty locked.
reply
True. This should be like a pinned message in every hardware and software wallet
reply
This is exactly why we don't even allow users to do dice roll entry on Passport.
Juice is almost never worth the squeeze and users WILL mess it up at some point.
reply
Oh, lmao, this whole post was a scammy shill. Fuck off, dude
reply
For generating a standard seed, agree that the onboard RNG is most likely good enough. Even better if the wallet allows the user to inject some of their own entropy, so that user input is strictly additive. But dice rolls do have their place for more... exotic ... setups e.g. #400044
reply
You think that's a hot take?
A person that stupid shouldn't have bitcoin. If they have children, maybe they can ask their children to hold their bitcoin. They should probably just have 20% bitcoin ETF and 80% SPY. No different than how you wouldn't say Joe Biden is mentally unfit to self custody.
Not being a moron does not make someone an expert. ColdCard makes it very clear you want 100 rolls. How are you not going to pay attention to details with your life savings???
If you can't roll a dice, I'm honestly terrified to know you are out there driving on the same streets as me. Please don't crash into me, ffs.
reply
53 sats \ 0 replies \ @joda 15 Feb
also, after setting up a wallet, only send to it an amount you are willing to lose, then wait several days, if possible, to see if it gets swept.
reply
Knowing that you need to use more than 10 dice rolls for high entropy, food does not make you an expert.. the actual fuck…
reply
What do you think about this guide if followed correctly? https://bitbox.swiss/blog/roll-the-dice-generate-your-own-seed/
reply
If followed correctly, it should be fine.
But I don't see the point for 99.999% of people and most people won't follow it correctly.
reply
10 sats \ 1 reply \ @doofus 15 Feb
Thanks for the feedback. Would creating a multi-sig wallet increase difficulty of entropy if someone only followed it 99.8% correctly? Or is it just as easy to crack?
reply
Yes, as you'd have to break the threshold of wallets to move funds.
reply
10 sats \ 1 reply \ @random_ 15 Feb
Wallets should not allow a user to import a seed that they know is completely insecure.
How?
reply
Should have been more specific, I'm referring to allowing a user to provide entropy that is known to be insufficient.
You can't calculate the entropy of a given seed phrase, outside of just rejecting known-bad seeds like bacon bacon bacon etc.
reply
Oh come on now! How naive can one be?!
reply
If allowed, users will make every mistake possible over time!
reply
Apparently the wallet should have caught it or forced the user to be an eXpErT and UsE moRE than 10 rolls.. yeah true I get it.
But you can’t be this stupid anymore…
reply
Disagree - You don't have to be an expert to do what instruction said...
reply
1000 sats \ 0 replies \ @TheFish 15 Feb
If you are confident enough to try dice rolls, you should be confident enough to use multiple signatures
reply
169 sats \ 2 replies \ @anon 15 Feb
retard take
reply
Great input, thanks!
reply
You can rely on anon for great input lol
reply
0 sats \ 0 replies \ @Neo 18 Mar
IS THIS TRUE?
"True random number generator and non-deterministic algorithms create private keys- Devices such as Trezor, Ledger, ELLIPAL and most wallets come pre-loaded with private keys, meaning a level of trust is involved."
Maybe this would be the best solution to avoid potential issues with the TRNG elements or can the user also do something wrong with this?
reply
To date I have heard of zero compromised seeds that were generated using on-board RNG due to entropy issues
Dude what rock have you been hiding under? Randstorm was disembargoed almost three months ago. BitPay had to scramble to get all the people who used Bitcore to regenerate their seeds:
The awful thing about keygen entropy bugs is that you can't unit test for true randomness. This leaves people vulnerable to entropy bugs ten years later which is exactly what happened with bitcoinjs.
I think you're doing people a huge disservice with this kind of fearmongering. Put your time to better uses, like spelling out a clear, precise, easy-to-follow-and-hard-to-fuck-up set of instructions for generating a seed using dice. The gold standard is this: roll the dice, convert to seedphrase by hand (using pencil and paper and word tables), import the seedphrase into two airgapped wallets based on completely different software, make sure each can spend the other's UTXOs.
reply
ok so let me challenge you,,, i'll throw a dice just 10 times like you say and i bet you'll not be able to guess the seed, are you up for the challenge? i'll throw a dice for 10 times, and use the outcome string to generate a sha512 hash which i will use as a bip39 seed... are you up for it?
reply
10 sats \ 0 replies \ @Krv 16 Feb
There are people who have already run their computers to generate seeds using all possible low entropy values and they already know a seed you would generate.
reply
It would be useful to have more info. What guide was the user following? What HWW were they using?
I am surprised you cite this as a common issue. Everything I've come across online concerning the dice method has made it abundantly clear that you need a certain number of rolls to achieve a desirable level of entropy.
reply
the answer is borderwallets
reply
Open-source generators… you mean like the “BX seed” command in LiBitcoin?
“The Milk Sad Vulnerability and What It Means for Bitcoin Bitcoin MagazineAug 28, 2023 In the newest episode of Bitcoin Magazine’s "Bitcoin, Explained,” hosts Aaron van Wirdum and Sjors Provoost discuss the ramifications of a newly discovered exploit dubbed “Milk Sad,” affecting Bitcoin users attempting to run the alternative Bitcoin implementation Libbitcoin when connecting to the network.
Revealed earlier this month, the issue of an insecure Bitcoin command called "BX Seed" in the Libitcoin library has made it vulnerable to attacks, potentially allowing adversaries to guess private keys and access Bitcoin funds.
As profiled, the insecure command produces only 32-bit random seeds, significantly reducing the number of possible seeds and making it relatively easy to guess a target user’s private keys. …“
You don’t know what you don’t know, and most people hardly know anything at all. Trusting a hardware wallet is still trusting a third party. Most people can’t read computer code, so how can they verify that the code isn’t malicious, and produces seeds from an adequately random number generator?
I know that a good seed mnemonic is comprised of 23 seed words produced in a truly random way, +1 word calculated from a bit more entropy and the prior 23 words.
Keep It Simple Stupid — print, and then cut out, all 2048 possible seed words onto tiny slips of paper, put all the papers in a bucket, make sure they’re all well separated and not stuck together. Shake the bucket, reach in without looking and pick one slip of paper. Write it down, return the paper to the bucket, and repeat 22 more times. Use SeedSigner and a coin to get the 24th word.
Simple and effective.
reply
Okay I will be the noob here. So they rolled 10 dice and derived a seed (256 bits) number from that.
What you're saying is that this wasnt enough randomness. Someone looked at the chain, saw the deposit to the address generated from that seed, and brute forced it?
Here's my question: the public btc address that was generated from that seed was generated from sek256 elliptic curve math, so how on earth did the attacker know it was a low entropy seed??
I can take 44 character number with very low entropy e.g. 1234321234...etc and it will generate an address like bc1etc. There's no way for me to know that address was a low entropy address....
So why was this guys 10/roll seed an issue??
Just a question
reply
214 sats \ 0 replies \ @Krv 16 Feb
One could calculate the resulting seeds and addresses for all possible dice rolls up to a certain amount of entropy. Also, they can do that for other low entropy sources. Then, simply listen to the blockchain,checking for funds sent to those addresses.
reply
Dice rolls...? What's this? Casino? 😬
reply
Hello
I'm not an expert, but I somehow managed to roll a set of dice enough times to get 256 bits of entropy. I also added a passphrase.
Dice rolling is an excellent method to mitigate risks of RNGs because you're obviously generating verifiable entropy in front of your own eyes.
Here is a straightforward guide, maybe not for Grandma, but easy enough for non-experts like me:
I assume the process should work on devices that copied the Coldcard's firmware, so Passport wallet may be able to do this process too.
reply
more nuanced and maybe actionable advice is probably something like:
  • get informed about what entropy from dice rolls is for,
  • don't trust just one software implementation with life changing wealth, and
  • learn how to add your own entropy in a safe way to avoid relying just on the software
that's how I'd rewrite the title/post if I wasn't trying to pitch a hardware wallet.
one advantage of rolling dice is you do it in front of your eyes. you see and experience the entropy yourself. so you can sleep a bit sounder knowing you're not wholly trusting software that you don't exactly know 100% inside out
Don’t roll your cripto
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.