According to OneKey’s China Twitter account, regarding the random number vulnerability that occurred in the recent “Milk Sad incident,” the OneKey team stated that the vulnerability does not affect the security of mnemonics and private keys in OneKey’s software and hardware wallets.
The vulnerability stems from Libbitcoin Explorer (bx) 3.x, which uses system time and a pseudo-random number generator based on the Mersenne Twister-32 algorithm. Because the seed space is only 2³² bits, an attacker can predict the private key or attack through brute force attacks. This vulnerability affects some older versions of Trust Wallet and all products using bx 3.x or earlier versions of Trust Wallet Core.
OneKey says its hardware wallet uses the EAL6+ security chip with a built-in TRNG pure random number generator. Existing devices have also passed SP800-22 and FIPS140-2 entropy tests. The software wallet uses the system-level CSPRNG entropy source to generate random numbers that comply with cryptographic standards. The OneKey team recommends that users use hardware wallets to manage their assets and not import mnemonics created in software wallets into hardware wallets, emphasizing that this will maximize security.
