OneKey responds to the Milk Sad incident, confirming that the vulnerability does not affect the security of its software and hardware wallets

ChainCatcher news, according to OneKey's Chinese Twitter, regarding the recent "Milk Sad incident" involving a random number vulnerability, the OneKey team clarifies that this vulnerability does not affect the security of the mnemonic phrases and private keys of OneKey's software and hardware wallets.

The vulnerability originates from the Libbitcoin Explorer (bx) version 3.x, which uses a pseudo-random number generator based on system time and the Mersenne Twister-32 algorithm, with a seed space of only 2³² bits. Attackers can derive private keys through prediction or brute force. The affected range includes some older versions of Trust Wallet and all products using bx 3.x or older versions of Trust Wallet Core. OneKey states that its hardware wallets use EAL6+ secure chips with built-in TRNG true random number generators; older devices also pass SP800-22 and FIPS140-2 entropy tests; the software wallet uses system-level CSPRNG entropy sources to generate random numbers, meeting cryptographic standards. The team emphasizes that users are advised to manage assets using hardware wallets and should not import mnemonic phrases generated by software wallets into hardware wallets to ensure the highest level of security.