Some compromised MetaMask and Phantom wallets
On Wednesday June 15, MetaMask published a blog post explaining that a flaw had been discovered on an old version of his walletwhich could compromise the security of the funds of the users concerned.
This flaw exclusively affects users using MetaMask on their computer through a browser, people using the mobile application are therefore not affected. According to the press release, the flaw has since been patched. version 10.11.3.
To this end, the firm strongly encourages its users to update if necessary. However, this would concern, a priori, only a handful of users of the famous Ethereum wallet.
Indeed, according to MetaMask, a user is potentially concerned if he meets the following 3 conditions :
- His hard drive was not encrypted;
- He imported his secret recovery phrase into a MetaMask browser extension on a potentially at-risk computer;
- If he checked the box Show secret recovery phrase during the import process.
If you meet all of these conditions, then your wallet could be exposed. The MetaMask team strongly recommends, in this case, to transfer funds to a new wallet to a secure device.
In addition, the vulnerability would particularly affect users who have used the import method on a compromised or stolen device. shortly after.
However, the press release specifies that people using a hardware wallet (like Ledger) to secure their funds are spared this potential risk. The opportunity to recall how crucial it is to secure your cryptocurrencies via this type of portfolio.
👉 To dig deeper: Cold wallet and recovery phrases – can you get all your cryptos back?
The Phantom wallet also affected
phantom, one of the main wallets of the Solana (SOL) blockchain, is also affected. According to its own press release, patches began to be applied gradually since January, until the flaw was completely corrected. thanks to an update from April.
The flaw is presented in the same way as for the MetaMask wallet. In other words, a Phantom user may be concerned once he has imported its secret recovery phrase from a potentially vulnerable browser.
It is the company specialized in blockchain security Halborn who discovered the vulnerability first, before reporting it to the development teams of the 2 wallets, who did not fail to thank her warmly. MetaMask has also chosen to pay him $50,000 as a reward.
The security engineer who discovered the flaw last year since joining the Phantom teamswhich, according to the company, has brought real added value to the security of its users:
“We are delighted to welcome Osama Amri, who discovered the threat last year while at Halborn […]. Thanks to the hard work of engineers Josiah Savary and Laamia Islam, not only have substantial parts of our codebase changed, but we’ve also completely rewritten the way we generate seed phrases. »
Phantom’s press release clarifies that the details of the vulnerability were not disclosed earlier so that all parties concerned can provide an appropriate remedy. The firm also wishes to share the source code of part of its wallet in order to help its counterparts:
“Once additional audits have been completed this summer, we plan to open source our BIP-39 package approach to seed phrase generation so that other wallets can also better protect themselves and their users. »
Once again, we take the liberty of reminding you that the best security for your cryptocurrencies is and will remain a hardware walletso that you are completely in control of your funds.
👉 Read also: BAYC NFTs could be the target of a new attack, according to the co-founder of Yuga Labs
Sources: Medium MetaMask, Phantom blog
Get a crypto news recap every Sunday 👌 And that’s it.