A flaw in older versions of MetaMask and Phantom could expose some wallets

Some compromised MetaMask and Phantom wallets

On Wednesday June 15, MetaMask published a blog post explaining that a flaw had been discovered on an old version of his walletwhich could compromise the security of the funds of the users concerned.

This flaw exclusively affects users using MetaMask on their computer through a browser, people using the mobile application are therefore not affected. According to the press release, the flaw has since been patched. version 10.11.3.

To this end, the firm strongly encourages its users to update if necessary. However, this would concern, a priori, only a handful of users of the famous Ethereum wallet.

Indeed, according to MetaMask, a user is potentially concerned if he meets the following 3 conditions :

  • His hard drive was not encrypted;
  • He imported his secret recovery phrase into a MetaMask browser extension on a potentially at-risk computer;
  • If he checked the box Show secret recovery phrase during the import process.

If you meet all of these conditions, then your wallet could be exposed. The MetaMask team strongly recommends, in this case, to transfer funds to a new wallet to a secure device.

In addition, the vulnerability would particularly affect users who have used the import method on a compromised or stolen device. shortly after.

However, the press release specifies that people using a hardware wallet (like Ledger) to secure their funds are spared this potential risk. The opportunity to recall how crucial it is to secure your cryptocurrencies via this type of portfolio.

👉 To dig deeper: Cold wallet and recovery phrases – can you get all your cryptos back?

The Phantom wallet also affected

phantom, one of the main wallets of the Solana (SOL) blockchain, is also affected. According to its own press release, patches began to be applied gradually since January, until the flaw was completely corrected. thanks to an update from April.

The flaw is presented in the same way as for the MetaMask wallet. In other words, a Phantom user may be concerned once he has imported its secret recovery phrase from a potentially vulnerable browser.

It is the company specialized in blockchain security Halborn who discovered the vulnerability first, before reporting it to the development teams of the 2 wallets, who did not fail to thank her warmly. MetaMask has also chosen to pay him $50,000 as a reward.

The security engineer who discovered the flaw last year since joining the Phantom teamswhich, according to the company, has brought real added value to the security of its users:

“We are delighted to welcome Osama Amri, who discovered the threat last year while at Halborn […]. Thanks to the hard work of engineers Josiah Savary and Laamia Islam, not only have substantial parts of our codebase changed, but we’ve also completely rewritten the way we generate seed phrases. »

Phantom’s press release clarifies that the details of the vulnerability were not disclosed earlier so that all parties concerned can provide an appropriate remedy. The firm also wishes to share the source code of part of its wallet in order to help its counterparts:

“Once additional audits have been completed this summer, we plan to open source our BIP-39 package approach to seed phrase generation so that other wallets can also better protect themselves and their users. »

Once again, we take the liberty of reminding you that the best security for your cryptocurrencies is and will remain a hardware walletso that you are completely in control of your funds.

👉 Read also: BAYC NFTs could be the target of a new attack, according to the co-founder of Yuga Labs

Sources: Medium MetaMask, Phantom blog

Newsletter 🍞

Get a crypto news recap every Sunday 👌 And that’s it.

What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.

Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to crypto-assets are risky in nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.

About the Author : Maximilien Prue


Passionate about the world of decentralized finance and the novelties brought by Web 3.0, I write articles for Cryptoast to help make the blockchain more accessible to everyone. Convinced that cryptocurrencies will change the future very soon.
All articles by Maximilien Prué.

Leave a Comment