URGENT is electrum affected?

[Folio]

Hi, the guys at cakewallet have warned people who had a 12 word wallet in their old version.
Is electrum affected by the same problem too?

https://www.reddit.com/r/Monero/comments/n9yypd/urgent_action_needed_for_bitcoin_wallets_cake/

[hosseinimr93]

Electrum generates the seed phrase 100% random.
If you have downloaded electrum from its official website and you are the only one who has access to your seed, there is nothing to worry about.
Just keep your seed phrase offline and in a safe place.

[BitMaxz]

I read the link and they only talking about their wallet, not Electrum.
This is what they said

This issue is NOT with the Monero wallets – but only with Bitcoin wallets.

It means the bitcoin wallets from their own app not the other Bitcoin wallets like Electrum, mycelium, wasabi, or any bitcoin wallets.

There might be sort of a problem on their wallet that generates invalid random seeds or maybe there are other reasons why they are pushing users to generate a new seed(Maybe they are compromised or maybe they want to log all generated seeds).

Anyway, If you are using Cake wallet for storing your BTC I suggest you switch to other wallets like Electrum. Or if you already made a Bitcoin wallet on Cake wallet I'm sure the seed you generated from their old cake wallet will also work on Electrum just make sure you know the exact derivation path of that wallet.

However, it still recommended to use a newly generated seed from Electrum compared to the seed you generated from the cake wallet.

[pooya87]

No, Electrum is not affected since it is using RNGs correctly!

It seems like poor code by Cake wallet specifically since they claim that it only affects the bitcoin wallet not the Monero wallet. Why should the entropy generation be different based on wallet type?! Key sizes are the same and the byte array (the entropy) generated for either individual keys or the master key or the entropy for mnemonic generation is all the same.

Also size of the entropy should not affect the security or lack of it as long as it is bigger than 128 bits. Saying the "12-word Bitcoin seed" was vulnerable while the 24-word wasn't raises serious questions about the "fix" and whether there are serious flaws in their cryptography!

[FinneysTrueVision]

The issue only affects Cake Wallet. This is why I don't use altcoin wallets to store bitcoin. Cake Wallet is a Monero focused wallet that recently started adding other currencies recently. Their experience is not with Bitcoin so I wouldn't expect it to have all the necessary features and it might not have the same security standards that we expect in the bitcoin community.

[HCP]

Our developers found that insufficient randomness was used while generating the 12-word Bitcoin seed. As we continue to strive to improve the platform and security, BTC wallets generated from version 4.1.7 onwards use a 24-word seed as well as we replaced random bytes generation by platform specific generator further enhancing the security of the wallets.

and then a bit further down the thread:

Hang on, was this previously using Random from the math package to generate the seed? I want to make sure I'm reading this right.

Edit: Yep, that appears to be the case.

The randomBytes function is called by generateMnemonic without a second parameter, causing it to use the insecure random implementation: https://github.com/cake-tech/cake_wallet/blob/b67bb0664f7268c31c24bd9fb9cbd438c691f5e3/lib/bitcoin/bitcoin_mnemonic.dart#L11-L22. Good god.

The Dart API says:

Random class

A generator of random bool, int, or double values.

The default implementation supplies a stream of pseudo-random bits that are not suitable for cryptographic purposes.
Use the Random.secure constructor for cryptographic purposes. (NOTE: emphasis added)

Constructors

Random([int? seed])
Creates a random number generator. [...]

Random.secure()
Creates a cryptographically secure random number generator. [...]

Looking at the Cake Wallet github code that was linked... you can see if the randomBytes method is called without the "secure" parameter being set to "true", it will default to "false" and you end up with the insecure Random() number generator instead of the Random.secure() cryptographically secure RNG! #yikes

And old note I found here: http://commondatastorage.googleapis.com/dartlang-api-docs/13991/dart_math/Random.html indicates that the original insecure Random() uses "up to" 64 bits of seed

Implementation note: The default implementation uses up to 64-bits of seed.

[pooya87]

https://github.com/cake-tech/cake_wallet/blob/b67bb0664f7268c31c24bd9fb9cbd438c691f5e3/lib/bitcoin/bitcoin_mnemonic.dart#L112
This is another good example of why people shouldn't use unpopular low quality multi currency wallets that keep popping up these days, specially for mobile! You see this one that is open source had such a serious flaw who knows what the closed source ones do!

[ranochigo]

There might be sort of a problem on their wallet that generates invalid random seeds or maybe there are other reasons why they are pushing users to generate a new seed(Maybe they are compromised or maybe they want to log all generated seeds).

Anyway, If you are using Cake wallet for storing your BTC I suggest you switch to other wallets like Electrum. Or if you already made a Bitcoin wallet on Cake wallet I'm sure the seed you generated from their old cake wallet will also work on Electrum just make sure you know the exact derivation path of that wallet.

It doesn't generate invalid random seeds, quite the opposite; it generates valid non-random seed. Electrum uses randrange which is seeded from the OS's CSPRNG (/dev/urandom) and it thus generates a seed with sufficient entropy and is not prone to issue like this. Unfortunately, there is just way too many developers who overlook certain aspects which are arguably pretty important and putting their user's funds at risk. This isn't the first time something like this has happened.

Are the signatures generated by the wallet deterministic or do they rely on the flawed RNG as well?