🧩 Description:
During extensive research into the generation and validation of BIP-39 mnemonic recovery phrases across multiple blockchain ecosystems (Ethereum, Solana, Bytecoin, etc.), I have observed what appears to be non-uniform entropy distribution in the structure of generated seed phrases.
This observation is based on a large dataset of programmatically generated phrases, analyzed across multiple languages (English, Czech, Portuguese, French), using legal and ethical methods, without targeting or accessing any unauthorized data.
📊 Key Observations:
High Frequency of Certain Words:
Specific words appear disproportionately as first, middle, or last words in valid mnemonic phrases.
Example: Some words appeared more than 300 times as initial words in generated valid phrases.
Abnormal Validation Rates:
From a test batch of 150,000 phrases:
Over 9,600 valid wallets for 12-word English phrases.
Over 14,000 valid wallets for 24-word English phrases.
Over 8,000 valid wallets for 24-word Czech phrases.
Non-Random Recovery Patterns:
Statistical anomalies indicate that valid phrase recovery might not be entirely random.
The probability of success at this scale would be extremely low unless a pattern or reduction in entropy exists.
🛡 Impact:
If such entropy weaknesses exist in the generation of seed phrases—whether due to implementation flaws, poor random number generation (RNG), or biased word selection—they may allow attackers to narrow down the search space and potentially recover access to real wallets.
This issue could impact any wallet providers or platforms relying solely on BIP-39 without sufficient entropy enhancement or post-generation randomness checks.
✅ Ethical Research Notes:
No private user data was accessed or misused.
The wallets referenced in this study were identified exclusively using statistical and analytical methods.
All actions were performed in a controlled, non-exploitative environment for security research purposes.
I am fully committed to responsible disclosure and open to further collaboration to ensure ecosystem safety.
🧪 Suggested Areas for Further Investigation:
Audit BIP-39 implementations for bias in mnemonic generation.
Test the RNG quality of commonly used wallet providers.
Introduce additional entropy-hardening layers or recommend entropy audits in BIP-39 usage.
Review the impact of language-specific word distributions on security.
📁 Supporting Materials Available Upon Request:
Scripts used for phrase generation and analysis.
Frequency distribution charts for seed word positions.
Datasets of non-funded/generated wallet addresses for research validation.
Short video demonstration of phrase validation logic (excluding any sensitive data).
🙏 Final Note:
This issue is shared with the goal of strengthening the security posture of BIP-39-based systems and ensuring that user funds remain safe in the long term. I welcome any input from the community and relevant maintainers.
Note: I initially attempted to submit this report via GitHub Issues, but due to repository contribution policies, I opted for this pull request instead, in line with the contributing guidelines.
Best regards, Okba [ GUIAR OQBA ], Security Researcher.