According to OneKey's Chinese Twitter account, regarding the random number vulnerability involved in the recent "Milk Sad incident," the OneKey team clarified that the vulnerability does not affect the security of the mnemonics and private keys of OneKey's software and hardware wallets.

The vulnerability stems from Libbitcoin Explorer (bx) 3.x, which uses a pseudo-random number generator based on the system time and the Mersenne Twister-32 algorithm. With a seed space of only 2³² bits, attackers can predict or brute-force the private key. This vulnerability affects some older versions of Trust Wallet and all products using bx 3.x or older versions of Trust Wallet Core.

OneKey stated that its hardware wallet utilizes an EAL6+ security chip with a built-in TRNG true random number generator; older devices have also passed SP800-22 and FIPS140-2 entropy testing. Its software wallet uses a system-level CSPRNG entropy source to generate random numbers, complying with cryptographic standards. The team emphasized that users are advised to use hardware wallets to manage their assets and not import mnemonics generated by software wallets into hardware wallets to ensure maximum security.