Hello Cardano Community,
I hope this message finds you well.
I am a security researcher who has been extensively analyzing the generation and validation of BIP-39 mnemonic recovery phrases across multiple blockchain ecosystems, including Ethereum, Solana, Bytecoin, and others. During this research, I have identified what appears to be a non-uniform entropy distribution in the structure of these generated seed phrases.
Key Observations:
- High frequency of certain words disproportionately appearing as the first, middle, or last words in mnemonic phrases.
- Abnormal validation rates, with statistical anomalies that suggest the possibility of non-random recovery patterns.
- A potential vulnerability in the entropy of seed phrase generation that could allow for reduced search space and a higher likelihood of wallet recovery through brute force.
Given that BIP-39 is an open-source standard, I believe it is crucial to share these findings with the wider community to ensure the continued security of wallet generation across multiple platforms.
I initially attempted to open an issue on the BIP-39 GitHub repository, but due to repository contribution restrictions, I was unable to submit directly. As per the recommendation from the Cardano Foundation Community, I am sharing my findings here for further discussion.
Impact:
This potential weakness could affect wallet providers or platforms relying on BIP-39 without adequate entropy checks or enhancements, leading to risks of unauthorized wallet access.
I am open to collaboration on further research and investigations into potential solutions, such as improving the randomness of mnemonic generation and ensuring entropy checks are enforced across all implementations.
Supporting Information Available:
- Research scripts used for generating and analyzing mnemonic phrases.
- Frequency distribution charts showing the occurrence of specific words in various positions of the mnemonic.
- Datasets of non-sensitive wallet addresses for validation purposes.
Looking forward to your thoughts and feedback.
Best regards,
Okba [ GUIAR OQBA ]
Security Researcher
techokba@gmail.com