Home - Coinspect Security
weak wallet seed generation

Why Weak Seed Generation Can Put Crypto Wallets at Risk for Years

Franco Riccobaldi
linkedin icon twitter icon
Senior Security Consultant
Wallets

Over the years, multiple incidents have shown that wallet security can collapse when randomness generation goes wrong, turning recovery phrases that should be impossible to brute-force within the lifetime of the universe into something an attacker could search through in a matter of days.

Milk Sad research is one example of this pattern. Weak randomness in wallet seed generation caused affected wallets to be created from far fewer possible seeds than expected, turning a problem that should have been impossible to solve into a realistic brute-force target.

While investigating a recent incident involving the draining of hundreds of wallets, we identified the root cause: a seed generation flow that ultimately relied on an insecure source of randomness.

We are still working through the full investigation and are deliberately withholding specific technical details until our analysis and any coordinated disclosure are complete. In the meantime, we are sharing initial recommendations for users and wallet developers based on what we learned from this experience.

A Weak Seed Stays Weak Forever

Recovery phrases are permanent secrets: if a wallet was created with weak randomness, updating the app does not make that recovery phrase safer.

A wallet application or software library may have patched the vulnerable code years ago, but recovery phrases generated before that fix remain affected.

You may have generated a recovery phrase in one wallet and later imported it into another, but the new application does not change how that seed was originally created.

The risk from a compromised or weak seed is not limited to a single unauthorized transaction.

Software can change over time, but a wallet seed’s strength is forever bound to the randomness it was born from.

Recommendations for Users

Wallet generation failures are uncommon, so users may not recognize them as a possible root cause. When funds are missing, the first suspicion is usually phishing, a compromised device, an operational mistake, or a malicious smart contract approval.

Reduce risk before an incident

The best protection is to use a hardware wallet whenever possible, especially for long-term holdings or significant funds. If a hardware wallet is not practical for your use case, choose a well-known software wallet with a strong security track record, such as wallets with high scores in Coinspect’s Wallet Security Ranking.

A wallet compromise caused by insecure randomness may not be obvious immediately. Pay attention to official wallet provider updates, security advisories, and in-app notifications.

Respond to suspected compromise

If missing funds point to a possible private key compromise, consider whether the seed itself may have been compromised or weak from the start.

Because the same recovery phrase can control assets across different networks and accounts, a compromise may not appear everywhere at once. Users should review all supported networks and assets, not only the chain where suspicious activity was first observed.

Moving the same recovery phrase to another app or hardware wallet does not fix the problem. The safe path is to create a new wallet with secure randomness and transfer funds to addresses controlled by the new recovery phrase.

Migrate carefully

Once weak seed generation is suspected, assume attackers may already be monitoring the addresses derived from it. Moving funds can be risky, especially on networks where an account first needs to receive a native token to pay transaction fees. That funding transaction can give an automated attacker a chance to sweep the account before the user can move the remaining assets.

For significant balances, many assets, or assets spread across multiple networks, users should consider getting help from the wallet provider or a trusted incident-response team. In some cases, funds may need to be rescued through a coordinated sweep that minimizes the window between funding the account and transferring the assets out.

Recommendations for Wallet Developers

Weak seed generation bugs are rare, so teams may not already have a response playbook for them. But when they do happen, they require more than a normal patch-and-release cycle.

Prevent weak seed generation

Entropy for wallet creation should come directly from the cryptographically secure API provided by the underlying operating system. Avoid unnecessary wrappers around randomness generation: they can introduce unexpected fallbacks, environment-specific behavior, and subtle type conversions that weaken security without obvious failures.

Randomness failures should be treated as fatal. Wallet creation should stop rather than falling back to non-cryptographic randomness.

Respond to vulnerable generation paths

If a vulnerable seed generation path is found, the response should not stop at patching the software. Wallet generation vulnerabilities require historical analysis, not just a review of the current version. Developers should determine whether any older version may have generated recovery phrases with insufficient secure entropy.

Affected users should be guided to create new secure wallets and migrate funds to addresses derived from new recovery phrases.

Wallets should also consider import-time checks for recovery phrases that may match known vulnerable generation output. If a seed may have been created by an insecure random generator, the wallet should warn the user clearly that reimporting the same recovery phrase into an updated app does not fix the underlying risk.

The Research Challenge

Finding a vulnerable seed generation path is only the first step. The harder problem is measuring the real exposure: which apps used it, which versions were affected, how many wallets were created that way, and whether any of those recovery phrases still control funds.

This becomes harder when wallet apps are closed source, old releases are unavailable, or the vulnerable code arrives through an opaque supply-chain or platform-specific build.

Exposure cannot be inferred directly from wallet addresses. Blockchain addresses are designed not to reveal anything about the recovery phrase behind them, and an address on one chain does not tell you which addresses the same seed may control on another chain or derivation path.

To estimate exposure — as the Milk Sad researchers did for their case — we have to reproduce the vulnerable generation process, enumerate or sample the resulting weak seed space where feasible, derive their addresses, and compare them against public blockchain data. This work can be computationally intensive, but it is the only way to identify affected wallets, funds still at risk, and assets that may be exposed across other networks or accounts.

Conclusion

Wallet generation failures are not ordinary software bugs. Once a recovery phrase is created with insufficient secure entropy, the risk can persist across apps, networks, accounts, and future deposits. Users should treat suspected private key compromise as a seed-level risk, and wallet developers should investigate whether any past version may have created weak recovery phrases.

We will continue our investigation and publish more technical details and resources as the work progresses. To follow updates, or if you believe you may be affected, follow our social network accounts or contact us